From owner-freebsd-hackers@FreeBSD.ORG Wed Dec 23 09:06:46 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 706EA106566C for ; Wed, 23 Dec 2009 09:06:46 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id E8DFD8FC0A for ; Wed, 23 Dec 2009 09:06:45 +0000 (UTC) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id nBN96dwD091722; Wed, 23 Dec 2009 09:06:41 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk nBN96dwD091722 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1261559201; bh=yVk1e6hsmrqZ6dwz6VAWZPr5KZIV6yvxBzMrui/DULw=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4B31DD99.7000103@infracaninophile.co.uk>|Date:=20W ed,=2023=20Dec=202009=2009:06:33=20+0000|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20091129)|MIME-Vers ion:=201.0|To:=20Mel=20Flynn=20|CC:=20freebsd-hackers@freebsd.org|Subject:=20Re:=20Jail =20on=202=20interfaces?|References:=20<200912221734.05795.mel.flyn n+fbsd.hackers@mailing.thruhere.net>|In-Reply-To:=20<200912221734. 05795.mel.flynn+fbsd.hackers@mailing.thruhere.net>|X-Enigmail-Vers ion:=200.95.6|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-s ha256=3B=0D=0A=20protocol=3D"application/pgp-signature"=3B=0D=0A=2 0boundary=3D"------------enig865684A9E1C3B9922A02A608"; b=YNBqVAbroOYziY6dtc6C3JV/GVzN8jHw9/0uO1DDz7g9sqRphUFRvPXwSNPFfJCv8 Sqaj2SiaRghAKh0NLrddjoxKbvzp4y8CA7bEiw711nygQC27u1K15HFJXk/zOvI2Lg 1svJCgXyfa09a7gXH0BiqxZHUMeq0K5jWhPCmVA0= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4B31DD99.7000103@infracaninophile.co.uk> Date: Wed, 23 Dec 2009 09:06:33 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.23 (X11/20091129) MIME-Version: 1.0 To: Mel Flynn References: <200912221734.05795.mel.flynn+fbsd.hackers@mailing.thruhere.net> In-Reply-To: <200912221734.05795.mel.flynn+fbsd.hackers@mailing.thruhere.net> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig865684A9E1C3B9922A02A608" X-Virus-Scanned: clamav-milter 0.95.3 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-hackers@freebsd.org Subject: Re: Jail on 2 interfaces? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2009 09:06:46 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig865684A9E1C3B9922A02A608 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Mel Flynn wrote: > Hi, >=20 > I don't see this documented in jail(8) nor rc(8) nor defaults/rc.conf, = so is=20 > it possible to have 2 IP's on 2 ethernet interfaces? And if so, is it s= ettable=20 > for rc(8)? >=20 > The usage case is to have the same jailed proxy server on two seperate = > internal networks. Ideally, the proxy will use one address for outgoing= , so I=20 > guess I'll need a default route or dive into the squid config. >=20 > At present I have: > ifconfig_bge0=3D"inet 192.168.177.60 netmask 255.255.255.0" > ifconfig_em0=3D"inet 192.168.176.60 netmask 255.255.255.0" > ifconfig_em0_alias0=3D"inet 192.168.176.62 netmask 255.255.255.255" > jail_squid_rootdir=3D"/usr/squid" > jail_squid_ip=3D"192.168.177.62" > jail_squid_ip_multi0=3D"192.168.176.62" > jail_squid_interface=3D"bge0" >=20 > But this created the IP on bge0 even though one exists on em0. Is it as= simple=20 > as not specifying the interface and add the 177.62 alias on bge0? > Ideally I'd have a jail_$jail_ip_multi$aliasno_interface=3D"foo0", but = my main=20 > worry is that the jail infrastructure understands the routing involved.= To do this directly is now possible in 8.0-RELEASE or better. You will need a custom kernel with 'options VIMAGE' and I believe the standard jai= l startup scripts need a bit of work in order for them to start the jail wi= th the correct command line arguments to enable the vnet functionality. Note that vnet is /experimental/. It may eat your homework and blame it = on your dog. It is also known not to work yet with various subsystems which= =20 haven't had the necessary recoding to understand the new kernel structure= s. Probably the most significant missing bit is pf(4). Alternatively, you can achieve much the same effect that you want by usin= g a simple one-ip jail and writing firewall rules to redirect traffic into = it, and NAT traffic coming out of it. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig865684A9E1C3B9922A02A608 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAksx3Z8ACgkQ8Mjk52CukIwYBQCgiHrO5pslu2nIGkwO+2Npfdru lroAoIgPGtFO7l90I0PmsMTbD5zu2mfh =Yaeq -----END PGP SIGNATURE----- --------------enig865684A9E1C3B9922A02A608--