Date: Mon, 14 Dec 2009 08:28:24 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Jack Raats <jack@jarasoft.net> Cc: freebsd-stable@freebsd.org Subject: Re: Jails and IPFW Message-ID: <4B25F728.9060408@infracaninophile.co.uk> In-Reply-To: <07A054B7DD6A4672AC48684DEAB31697@jarasc430> References: <07A054B7DD6A4672AC48684DEAB31697@jarasc430>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE5E7525D312A42EF6E4824EA Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Jack Raats wrote: > Hi, >=20 > I'm looking for a good manual how to implement ipfw in and with jails. > Google doesn't give anything usefull >=20 > Thanks for your time By default, the only way you can implement firewalling (either ipfw, ipf or pf) is within the host system -- it simply has not been possible to control firewalls from within a jail. Until now, that is. You will need to be running 8.0-RELEASE or a more recent version. You wil= l also need to compile yourself a custom kernel with options VIMAGE This is /experimental/[*] code that allows each jail to have its own virtualised network stack aka "vnet", which includes being able to run a per-jail instance of firewalling software. According to=20 http://www.freebsd.org/releases/8.0R/relnotes-detailed.html#KERNEL You will need a commandline along the lines of the following to create a vnet enabled jail: # jail -c vnet name=3Dvnet1 host.hostname=3Dvnet1.example.net path=3D/= persist There's not much online discussion about this yet, but one key piece of information you will need is how to move a network interface into a jail = -- look for the description of the 'vnet' option in ifconfig(8). You might also be interested in the new epair(4) driver, which is one step more complicated than a loopback interface in that it creates a back-to-back pair of synthetic ethernet interfaces. (The idea being that you move one end of the pair into a jail to give yourself a connection from the jail t= o the outside world.) Cheers, Matthew [*] As in: no refunds will be given. --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigE5E7525D312A42EF6E4824EA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAksl9y4ACgkQ8Mjk52CukIz3wwCfTiuSQ38mTHobMo+tjOV95ciY 68EAoIm60LoXI9MZ5h5opoxNDkufsldP =RxJy -----END PGP SIGNATURE----- --------------enigE5E7525D312A42EF6E4824EA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B25F728.9060408>