Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 14 Dec 2009 08:28:24 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Jack Raats <jack@jarasoft.net>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Jails and IPFW
Message-ID:  <4B25F728.9060408@infracaninophile.co.uk>
In-Reply-To: <07A054B7DD6A4672AC48684DEAB31697@jarasc430>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
Jack Raats wrote:
> Hi,
> 
> I'm looking for a good manual how to implement ipfw in and with jails.
> Google doesn't give anything usefull
> 
> Thanks for your time

By default, the only way you can implement firewalling (either ipfw, ipf
or pf) is within the host system -- it simply has not been possible to
control firewalls from within a jail.

Until now, that is.

You will need to be running 8.0-RELEASE or a more recent version. You will
also need to compile yourself a custom kernel with

   options VIMAGE

This is /experimental/[*] code that allows each jail to have its own
virtualised network stack aka "vnet", which includes being able to run a
per-jail instance of firewalling software.  According to 

http://www.freebsd.org/releases/8.0R/relnotes-detailed.html#KERNEL

You will need a commandline along the lines of the following to create
a vnet enabled jail:

   # jail -c vnet name=vnet1 host.hostname=vnet1.example.net path=/ persist

There's not much online discussion about this yet, but one key piece of
information you will need is how to move a network interface into a jail --
look for the description of the 'vnet' option in ifconfig(8).  You might
also be interested in the new epair(4) driver, which is one step more
complicated than a loopback interface in that it creates a back-to-back
pair of synthetic ethernet interfaces. (The idea being that you move one
end of the pair into a jail to give yourself a connection from the jail to
the outside world.)

	Cheers,

	Matthew

[*] As in: no refunds will be given.

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAksl9y4ACgkQ8Mjk52CukIz3wwCfTiuSQ38mTHobMo+tjOV95ciY
68EAoIm60LoXI9MZ5h5opoxNDkufsldP
=RxJy
-----END PGP SIGNATURE-----
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B25F728.9060408>