Date: Mon, 18 Oct 2010 21:57:55 +0100 From: "Matthew Law" <matt@webcontracts.co.uk> To: "Ivan Voras" <ivoras@freebsd.org> Cc: freebsd-questions@freebsd.org Subject: Re: Jail question Message-ID: <903641d568b60e1b082b793cf1134f7d.squirrel@www.webcontracts.co.uk> In-Reply-To: <i99mer$r7a$1@dough.gmane.org> References: <a326819258145be7f52702ca68402e23.squirrel@www.webcontracts.co.uk> <i99mer$r7a$1@dough.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, October 15, 2010 2:54 pm, Ivan Voras wrote: > Since jails can do many things there are many "helper" utilities that > can do much to simplify the process. If you can hack python, you can, > for example, modify my script at > http://ivoras.sharanet.org/stuff/mkjails.py which I've used to create a > thousand very light-weight jails which are started and managed using > only standard FreeBSD tools. > > In any case, read rc.conf(5) man page for the jail_* settings. snip > This is the more complex question; I think that everything which needs > direct access to the NIC (i.e. BPF, DHCP, IPFW, etc.) will need to be > run on the host system. TCP services will work inside jails without > problems, but with jails it's almost the same as if they were on another > system. If you do use NAT you will have to configure it on the host. > Instead, you can also use TCP proxies (like bsdproxy). It's up to you > how much complexity do you want in your system, but for simplicity I > would set up a single outward-facing IP address and then proxy TCP > services where I need them. Thanks for the helpful replies. I am experimenting with some ideas on a VM now. It certainly does seem more logical to have the firewall, VPN and NAT rules in the base system and everything else jailed. I can just about get by with Python and your script looks like it could be of use - thanks for sharing it. Matt.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?903641d568b60e1b082b793cf1134f7d.squirrel>