From owner-freebsd-questions Sat Aug 17 3: 9:42 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7B6237B400 for ; Sat, 17 Aug 2002 03:09:37 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2328343E3B for ; Sat, 17 Aug 2002 03:09:36 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk ([IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.5/8.12.5) with ESMTP id g7HA9YYk022131; Sat, 17 Aug 2002 11:09:34 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.5/8.12.5/Submit) id g7HA9SuA022130; Sat, 17 Aug 2002 11:09:28 +0100 (BST) Date: Sat, 17 Aug 2002 11:09:28 +0100 From: Matthew Seaman To: Paulius Bulotas Cc: freebsd-questions@FreeBSD.ORG Subject: Re: jails and multiple networks Message-ID: <20020817100928.GB16764@happy-idiot-talk.infracaninophi> References: <20020816193247.GA36535@kaktusas.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020816193247.GA36535@kaktusas.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Aug 16, 2002 at 09:32:47PM +0200, Paulius Bulotas wrote: > I've setuped 'master' pc with 2 jails in it, with 3 nic's to 3 different > networks and only one default router (in master). Now I can connect to > jails/master from outside, between jails and master. But I can't connect > to outside from jails. So the question would be, is it possible at all > and if yes, then how? > > All examples use ip aliases which share the same gateway (I assume ;), > and I would like to use a different gateway for each jail. Unfortunately, jail hosts aren't quite that independent of the main system --- there's only one routing table in the main kernel, which applies to both the master system and all the jails. The same is true of most kernel based stuff. However, all is not lost. The key phrase you need is "policy based routing" which you should be able to Google for with reasonable expectation of success. On FreeBSD policy based routing is implemented using ipfw(8) to forward packets to the appropriate gateways. You'll need to build yourself a custom kernel containing at least these extra options compared to GENERIC: options IPFIREWALL options IPFIREWALL_FORWARD See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html for kernel building instructions[*]. Lets suppose that your system is configured with three network cards as follows: I/F inet netmask gateway notes: de0 192.168.0.1 /24 192.168.0.254 master de1 192.168.1.1 /24 192.168.1.254 jail 1 de2 192.168.2.1 /24 192.168.2.254 jail 2 and the default route is: % netstat -rn | grep default default 192.168.0.254 UGSc 9 99999 de0 Then you need to have firewall rules equivalent to the following: add fwd 192.168.1.254 ip from 192.168.1.1 to not 192.168.1.0/24 out via de1 add fwd 192.168.2.254 ip from 192.168.2.1 to not 192.168.2.0/24 out via de2 Some experimentation will undoubtedly be required to get everything right for your setup, but that should give you the general idea. If necessary, you can select by port number as well as source and destination address. Cheers, Matthew [*] Note that for recent 4-STABLE the make buildkernel KERNCONF=MYKERNEL "new" mechanism will work as part of a {build,install}world cycle, but the "traditional" 'config MYKERNEL' mechanism possibly won't. -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message