From owner-freebsd-jail@FreeBSD.ORG Thu Jun 21 15:03:12 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 805111065670 for ; Thu, 21 Jun 2012 15:03:12 +0000 (UTC) (envelope-from anders.hagman@netplex.se) Received: from smtp-out11.han.skanova.net (smtp-out11.han.skanova.net [195.67.226.200]) by mx1.freebsd.org (Postfix) with ESMTP id 11D848FC1D for ; Thu, 21 Jun 2012 15:03:11 +0000 (UTC) Received: from macen.halleforshunden.org (31.210.252.116) by smtp-out11.han.skanova.net (8.5.133) (authenticated as u48002568) id 4FA80EAF00FF8342 for freebsd-jail@freebsd.org; Thu, 21 Jun 2012 17:02:31 +0200 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Apple Message framework v1278) From: Anders Hagman In-Reply-To: Date: Thu, 21 Jun 2012 17:02:30 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <1CB97103-00FC-4B8A-BF82-519F39DA3DC1@netplex.se> References: <4FE1E175.4060005@FreeBSD.org> To: freebsd-jail@freebsd.org X-Mailer: Apple Mail (2.1278) Subject: Re: VNET X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jun 2012 15:03:12 -0000 Hi 20 jun 2012 kl. 19:51 skrev Sami Halabi: > Thank you. >=20 > I want to use vnet jail for a specific subnet that I need to seperate = from > the system. If you want total separation from the main system you need vnet jail to = be able to have a separate routing table and default gateway. > so basicly i create a vlan + a bridged interface to the public. You don't need to create a bridge, just create a vlan interface and move = it to the jail. > these two (vlan+bridged interface- epair0a) will in in the vnet jail, = so I > can do NAT only for that vlan going out. > This is the idea, as there are more interfaces in the system and there = is > only one interface out=85 I do this to be able to use the same hardware for inside server and DMZ = server. Have been working for two month without any problem. >=20 > so basicly it should be a firewall & Nat only between the specific lan = and > the outside world. >=20 > Can this be accomplished otherway? >=20 > Sami >=20 > On Wed, Jun 20, 2012 at 5:43 PM, Alexander V. Chernikov < > melifaro@freebsd.org> wrote: >=20 >> On 19.06.2012 12:56, Sami Halabi wrote: >>=20 >>> Hi, >>>=20 >>> I want to ask aout VNET jails, i read somehwre that I'm able to run = IPFW, >>> but not PF firewall in a cnet jail. >>> is that correct? >>>=20 >>> i want a vnet jail basicly for nat, so natd with ipfw + ipdivert is = my >>>=20 >> 1) You can do nat without vnet. >> 2) ipfw nat is currently the easiest way to do nat. >>=20 >>=20 >> choice? or i can use pf somehow, I never used pf before, >>> so i would like some advise here... >>>=20 >>> Thanks in advance, >>>=20 >>>=20 >>=20 >> -- >> WBR, Alexander >>=20 >=20 >=20 >=20 > --=20 > Sami Halabi > Information Systems Engineer > NMS Projects Expert > FreeBSD SysAdmin Expert > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to = "freebsd-jail-unsubscribe@freebsd.org"