From owner-freebsd-questions@FreeBSD.ORG Fri Jul 18 20:44:09 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB0DD1065676 for ; Fri, 18 Jul 2008 20:44:09 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.27]) by mx1.freebsd.org (Postfix) with ESMTP id 6A6388FC1E for ; Fri, 18 Jul 2008 20:44:09 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so205012qwb.7 for ; Fri, 18 Jul 2008 13:44:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=yDIATF+4xqUhXLp1jGXiUxg8OYst15Jlnpgl5QkvDlU=; b=uGSqH1UiMs4XjYI4Vgs88UlxoP5c6DcyncPp0bskyhNg2XkcFRKZjD18Sya18bWbo7 4zq9QDfWP2ThjfQo/gdoFoOG9Pf8plQ8Q0l3gFkWKfbFC67e2ooMVHqSnkRRsIoKIVq6 9rAN8aKtorTXPWXZ4ew4qEMeDA6wfetkKckWQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=LiejOFTAyxfRk3NkArAAR/3ObrRnzmkwl0rouYs7Inayf/+Ff/ZdxxApzSuT1B2g6H 2RS/e1qdt1PEdSQutjT6hyVYtPEI48s7ygWDOyrOhug7XlmeOj2yWKune5MLbqF5FQqY UPoF74sczG17PS5J2/euWkwaUN6Oc6MGRSFfA= Received: by 10.151.155.12 with SMTP id h12mr640912ybo.3.1216413848412; Fri, 18 Jul 2008 13:44:08 -0700 (PDT) Received: by 10.151.111.10 with HTTP; Fri, 18 Jul 2008 13:44:08 -0700 (PDT) Message-ID: <2daa8b4e0807181344tbc82a6dx6f0240743a23c082@mail.gmail.com> Date: Fri, 18 Jul 2008 13:44:08 -0700 From: "David Allen" To: "Wojciech Puchar" In-Reply-To: <20080718104622.D2365@wojtek.tensor.gdynia.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48803F1E.7050302@webzone.net.au> <20080718104622.D2365@wojtek.tensor.gdynia.pl> Cc: "Andrew D \(Webzone\)" , freebsd-questions@freebsd.org Subject: Re: quick question regarding jails. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2008 20:44:09 -0000 On Fri, Jul 18, 2008 at 1:46 AM, Wojciech Puchar wrote: >> >> Just wondering if a box has 2 Ethernet cards with each card going to a >> different gateway/network, is it possible to stick a jail on the machine >> listening on one network interface and routing data out one >> card/network/gatway while the rest of the system uses the other port and >> gateway/network. > > yes - no problem For most values of "yes". For others, the answer is "It depends." Yes, you can configure daemons running on the host to bind to one interface, and configure daemons running on the jail to bind to a different interface. However, host <-> jail communications occur over loopback and "routing data" between the two, if that's the question being asked, has its limitations. I brought up this problem just recently. http://docs.freebsd.org/cgi/getmsg.cgi?fetch=407605+0+archive/2008/freebsd-questions/20080713.freebsd-questions To sum up, if jail host running at 10.0.0.1 connects to a jail running at 10.0.0.2, the traffic will occur over lo0, and BOTH endpoints of that connection will use the jail (10.0.0.2) address. To my mind, that can be problematic. You can modify the routing table so that a host -> jail connection exits an actual interface (and uses that interface's IP address). However, this offers limited usefulness as you can't do the same on the jail side (there's only one routing table to speak of), and return traffic won't be seen on that interface. The above applies irrespective of whether the jail host and the jail are on the same or different network, or on the same or different NICs.