From owner-freebsd-stable@FreeBSD.ORG Mon Dec 14 08:21:12 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 495041065672 for ; Mon, 14 Dec 2009 08:21:12 +0000 (UTC) (envelope-from pprocacci@datapipe.com) Received: from EXFESMQ01.datapipe-corp.net (exchange.datapipe.net [64.106.130.71]) by mx1.freebsd.org (Postfix) with ESMTP id 11A4B8FC1D for ; Mon, 14 Dec 2009 08:21:12 +0000 (UTC) Received: from [10.5.21.3] (192.168.128.24) by EXFESMQ01.datapipe-corp.net (64.106.130.71) with Microsoft SMTP Server id 8.1.393.1; Mon, 14 Dec 2009 03:21:11 -0500 Message-ID: <4B25F54B.3000601@datapipe.com> Date: Mon, 14 Dec 2009 02:20:27 -0600 From: Paul Procacci User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Jack Raats References: <07A054B7DD6A4672AC48684DEAB31697@jarasc430> <4B25CE1C.8030305@datapipe.com> <2E2F1B2A67C84F5AAD96D20E72897EF6@jarasc430> In-Reply-To: <2E2F1B2A67C84F5AAD96D20E72897EF6@jarasc430> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Cc: "freebsd-stable@freebsd.org" Subject: Re: Jails and IPFW X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2009 08:21:12 -0000 I hope I'm not misinterpreting your response. Given what you stated, then I perceive what you stated is correct. Just a thought, but it might make sense for you to specify -J (man jail) via jail__flags via rc.conf for each of your configured jails. Perhaps this would be easier on _you_ for future and current administration of your firewall. This would allow you to add a tad of logic to your firewall script that grab a specific jail id and use it instead. Also, this allows you to move ip's without much trouble if you ever plan on doing so. Here is an example that I have for a jail that I've got trimmed to hopefully make it easy on the eyes: ############################################### rc.conf -------------------- jail_xxx_flags=3D"-J /var/jail/xxxx" ipfw.conf -------------------------- $cmd=3D"ipfw -q" $pif=3D"bge0" $xxx_id=3D`cut -f1 < /var/jail/xxx` $cmd 506 allow tcp from any to me 22,80,443 in via $pif setup jail $xxx_id limit src-addr 6 ############################################### Hope this gives ya some insight and/or potentially will make things easier for ya. ~Paul One suggestion however would be to use different rule numbers for these rules as it could be a slight pain to modify later. Jack Raats wrote: > Hi Paul, > > I'll understand, but I want to run apache and ssh on both jails using the= ir > standard configs. > (So they listen to every ip address and interface). > > From your answer I learn than ipfw has to run on the host machine like: > $IPF 6000 pass tcp from any to $jail1 22,80 in > $IPF 6000 pass tcp from any to $jail2 22,80 in > > Jack > > ----- Original Message ----- > From: "Paul Procacci" > To: "Jack Raats" > Cc: > Sent: Monday, December 14, 2009 6:33 AM > Subject: Re: Jails and IPFW > > > If you are asking whether the root user of the jail can implement their > own firewall, then no that is not possible. > If you are asking whether you can use ipfw along side jails, then yes > you can. The administration of said firewall doesn't change one bit due > to the introduction of a jail. > So, if it's information pertaining to ipfw that you need then `man ipfw` > is what you seek. > > ~Paul > > > Jack Raats wrote: > >> Hi, >> >> I'm looking for a good manual how to implement ipfw in and with jails. >> Google doesn't give anything usefull >> >> Thanks for your time >> >> Jack >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org= " >> >> > > > This message may contain confidential or privileged information. If you = are > not the intended recipient, please advise us immediately and delete this > message. See http://www.datapipe.com/emaildisclaimer.aspx for further > information on confidentiality and the risks of non-secure electronic > communication. If you cannot access these links, please notify us by repl= y > message and we will send the contents to you. > > This message may contain confidential or privileged information. If you ar= e not the intended recipient, please advise us immediately and delete this = message. See http://www.datapipe.com/emaildisclaimer.aspx for further info= rmation on confidentiality and the risks of non-secure electronic communica= tion. If you cannot access these links, please notify us by reply message a= nd we will send the contents to you.