From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 13:36:52 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E58916A41C for ; Mon, 27 Jun 2005 13:36:52 +0000 (GMT) (envelope-from wagnerr@zoomtown.com) Received: from ms-smtp-01-eri0.ohiordc.rr.com (ms-smtp-01-smtplb.ohiordc.rr.com [65.24.5.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 688F543D4C for ; Mon, 27 Jun 2005 13:36:51 +0000 (GMT) (envelope-from wagnerr@zoomtown.com) Received: from raymond (rrcs-24-172-142-74.central.biz.rr.com [24.172.142.74]) by ms-smtp-01-eri0.ohiordc.rr.com (8.12.10/8.12.7) with ESMTP id j5RDamWY022065 for ; Mon, 27 Jun 2005 09:36:49 -0400 (EDT) Message-Id: <200506271336.j5RDamWY022065@ms-smtp-01-eri0.ohiordc.rr.com> From: "Raymond Wagner" To: Date: Mon, 27 Jun 2005 09:36:37 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcV7HT376hFXZz7HQxKzRrAws58mSw== X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: running jail with alternate IP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 13:36:52 -0000 I am currently setting up a firewall that translates my internal network over to 5 public IP addresses. The addresses are dynamically assigned, so I use ddclient to update my www.dyndns.org account. I've set up several aliases on the external interface of the firewall, and succeeded in having the internal computers use those extra public IPs. What I want to do is have 5 copies of ddclient all running in separate jails bound to different public IPs. I did some experimenting with jail, jailing a shell and then running lynx to www.whatismyip.com. I had to open up the firewall to get it to work, and then it gave me the public IP address bound to the first IP on the interface. Looking at the firewall logs, it seems as if jail is sending packets on the main IP (the non-aliased one), but modifying the header so they return to the aliased IP that was given to it when running the jail command. Is this how jail is supposed to operate, or am I doing something wrong?