Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 24 Mar 2007 18:37:59 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Jonathan Horne <freebsd@dfwlp.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: another jail question
Message-ID:  <46057007.50306@infracaninophile.co.uk>
In-Reply-To: <20070324121129.815b8c03.freebsd@dfwlp.com>
References:  <20070324121129.815b8c03.freebsd@dfwlp.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig113F596D2AABF0A4FD425FEC
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Jonathan Horne wrote:
> is there a way to configure a jail to use more than one ip address?
> in the same sense of configuring an alias ip for any other freebsd
> host?

jail(8) only allows you one IP -- there are some patches around
which will let you create jails with more IPs, and even better
there's a clonable network stack under development -- meaning
each jail can have it's own firewall instance etc. etc.=20

However none of that is really ready for prime time usage just
yet.  In fact, that's all rather experimental at the moment and
suitable only for gurus to play with.

There is an alternative.

You can achieve something like what you want with a bit of
firewall trickery.  Add an alias IP to the loopback interface --
say 127.0.0.2

:# ifconfig lo0
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4=20
        inet6 ::1 prefixlen 128=20
        inet 127.0.0.1 netmask 0xff000000=20
        inet 127.0.0.2 netmask 0xffffffff=20

Now create a jail using that IP.  Something like this in
/etc/rc.conf is what you'll need, plus following the instructions
in jail(8) to create the filesystems in the jail:

jail_enable=3D"YES"
jail_list=3D"j1"
jail_j1_hostname=3D"j1.example.com"
jail_j1_interface=3D"lo0"
jail_j1_mount_enable=3D"YES"
jail_j1_fstab=3D"/etc/fstab.jail.j1"
jail_j1_ip=3D"127.0.0.2"
jail_j1_rootdir=3D"/jail/j1.example.com"

Fire up whatever services you want inside your jail -- within it,
you'll have to configure everything to bind to the jail IP
127.0.0.2 specifically, but that's just the way things are in jails
even without this redirection trick.

Now, configure the IPs on interfaces you want the outside world to
see as belonging to your jail -- for illustrative purposes I'll
choose 12.34.56.78 and 12.34.56.79 as example addresses to use for
the jail. Then use firewall NAT functionality to redirect traffic
into the jail.  If you use pf (definitely recommended) then a
snippet like the following should be useful in /etc/pf.conf:

jail_int=3D"127.0.0.2"
jail_ext0=3D"12.34.56.78"
jail_ext1=3D"12.34.56.79"

# Outward connections from within the jail
nat on $ext_if proto { tcp udp }           \
     from $jail_int                        \
     to !$jail_int -> $jail_ext0 static-port

# Incoming connections to the jail
rdr on $ext_if proto tcp                   \
     from any                              \
     to { $jail_ext0 $jail_ext1 } port { 25 80 } -> $jail_int

If you want to run multiple HTTPS v-hosts from within the jail
you'll have to configure them to all run on distinct port numbers
within apache, and use something like this to generate the mapping:

rdr on $ext_if proto tcp                   \
     from any                              \
     to $jail_ext0 port 443 -> $jail_int port 8443
rdr on $ext_if proto tcp                   \
     from any                              \
     to $jail_ext1 port 443 -> $jail_int port 9443

This approach works pretty well for many protocols, but it does have
the basic limitation that you can tell a priori from within the jail
which external address the traffic went to.  Either you've got to
determine the answer by looking at the traffic payload (eg. HTTP has
a header saying which v-host the request is for) or apply the sort of
port remapping shown above.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW


--------------enig113F596D2AABF0A4FD425FEC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.3 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGBXAP8Mjk52CukIwRCKxjAJ9CcZ5huzkvcSgp9Al1P7JizY5YYwCfQzNx
JdJnoD35jiqOF/EPNUwF3T8=
=vVc5
-----END PGP SIGNATURE-----

--------------enig113F596D2AABF0A4FD425FEC--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46057007.50306>