From owner-freebsd-questions@FreeBSD.ORG Sat Mar 24 18:38:34 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 160C316A401 for ; Sat, 24 Mar 2007 18:38:34 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.freebsd.org (Postfix) with ESMTP id 8F58013C4B7 for ; Sat, 24 Mar 2007 18:38:33 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [IPv6:::1] (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.8/8.13.8) with ESMTP id l2OIc7YZ040689; Sat, 24 Mar 2007 18:38:08 GMT (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <46057007.50306@infracaninophile.co.uk> Date: Sat, 24 Mar 2007 18:37:59 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 1.5.0.10 (X11/20070308) MIME-Version: 1.0 To: Jonathan Horne References: <20070324121129.815b8c03.freebsd@dfwlp.com> In-Reply-To: <20070324121129.815b8c03.freebsd@dfwlp.com> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig113F596D2AABF0A4FD425FEC" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Sat, 24 Mar 2007 18:38:23 +0000 (GMT) X-Virus-Scanned: ClamAV 0.90.1/2921/Sat Mar 24 13:52:12 2007 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00, DKIM_POLICY_TESTING, DK_POLICY_SIGNSOME, NO_RELAYS autolearn=ham version=3.1.8 X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: another jail question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2007 18:38:34 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig113F596D2AABF0A4FD425FEC Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Jonathan Horne wrote: > is there a way to configure a jail to use more than one ip address? > in the same sense of configuring an alias ip for any other freebsd > host? jail(8) only allows you one IP -- there are some patches around which will let you create jails with more IPs, and even better there's a clonable network stack under development -- meaning each jail can have it's own firewall instance etc. etc.=20 However none of that is really ready for prime time usage just yet. In fact, that's all rather experimental at the moment and suitable only for gurus to play with. There is an alternative. You can achieve something like what you want with a bit of firewall trickery. Add an alias IP to the loopback interface -- say 127.0.0.2 :# ifconfig lo0 lo0: flags=3D8049 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4=20 inet6 ::1 prefixlen 128=20 inet 127.0.0.1 netmask 0xff000000=20 inet 127.0.0.2 netmask 0xffffffff=20 Now create a jail using that IP. Something like this in /etc/rc.conf is what you'll need, plus following the instructions in jail(8) to create the filesystems in the jail: jail_enable=3D"YES" jail_list=3D"j1" jail_j1_hostname=3D"j1.example.com" jail_j1_interface=3D"lo0" jail_j1_mount_enable=3D"YES" jail_j1_fstab=3D"/etc/fstab.jail.j1" jail_j1_ip=3D"127.0.0.2" jail_j1_rootdir=3D"/jail/j1.example.com" Fire up whatever services you want inside your jail -- within it, you'll have to configure everything to bind to the jail IP 127.0.0.2 specifically, but that's just the way things are in jails even without this redirection trick. Now, configure the IPs on interfaces you want the outside world to see as belonging to your jail -- for illustrative purposes I'll choose 12.34.56.78 and 12.34.56.79 as example addresses to use for the jail. Then use firewall NAT functionality to redirect traffic into the jail. If you use pf (definitely recommended) then a snippet like the following should be useful in /etc/pf.conf: jail_int=3D"127.0.0.2" jail_ext0=3D"12.34.56.78" jail_ext1=3D"12.34.56.79" # Outward connections from within the jail nat on $ext_if proto { tcp udp } \ from $jail_int \ to !$jail_int -> $jail_ext0 static-port # Incoming connections to the jail rdr on $ext_if proto tcp \ from any \ to { $jail_ext0 $jail_ext1 } port { 25 80 } -> $jail_int If you want to run multiple HTTPS v-hosts from within the jail you'll have to configure them to all run on distinct port numbers within apache, and use something like this to generate the mapping: rdr on $ext_if proto tcp \ from any \ to $jail_ext0 port 443 -> $jail_int port 8443 rdr on $ext_if proto tcp \ from any \ to $jail_ext1 port 443 -> $jail_int port 9443 This approach works pretty well for many protocols, but it does have the basic limitation that you can tell a priori from within the jail which external address the traffic went to. Either you've got to determine the answer by looking at the traffic payload (eg. HTTP has a header saying which v-host the request is for) or apply the sort of port remapping shown above. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig113F596D2AABF0A4FD425FEC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGBXAP8Mjk52CukIwRCKxjAJ9CcZ5huzkvcSgp9Al1P7JizY5YYwCfQzNx JdJnoD35jiqOF/EPNUwF3T8= =vVc5 -----END PGP SIGNATURE----- --------------enig113F596D2AABF0A4FD425FEC--