Date: Thu, 06 Aug 2020 07:43:56 -0400 From: Ernie Luzar <luzar722@gmail.com> To: Shane Ambler <FreeBSD@ShaneWare.Biz> Cc: Arthur Chance <freebsd@qeng-ho.org>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: how to make a non-vnet jail local only? Message-ID: <5F2BECFC.9010002@gmail.com> In-Reply-To: <c9ec293e-be65-8ac2-010e-530cedac4481@ShaneWare.Biz> References: <5F2A051D.4030604@gmail.com> <77719bef-6c53-21a7-ca17-3ebac05427b9@qeng-ho.org> <5F2ABF80.4080208@gmail.com> <15ab4539-afaf-df6e-8c36-bf8056723999@qeng-ho.org> <c9ec293e-be65-8ac2-010e-530cedac4481@ShaneWare.Biz>
next in thread | previous in thread | raw e-mail | index | archive | help
Shane Ambler wrote: > On 6/8/20 1:39 am, Arthur Chance wrote: >> On 05/08/2020 15:17, Ernie Luzar wrote: >>> Arthur Chance wrote: >>>> On 05/08/2020 02:02, Ernie Luzar wrote: >>>>> I have non-vnet jails working that can reach the public internet. >>>>> But now I would like to make some local only non-vnet jails that can >>>>> only access other local only non-vnet jails. BY local meaning have no >>>>> access to the public internet. >>>>> >>>>> How do I make this happen? >>>>> >>>>> Thanks for any pointers. >>>> Create a second loopback interface (cloned_interfaces="lo1" in >>>> /etc/rc.conf or ifconfig lo1 create for manual control) and put the >>>> local jails on lo1 without access to any other interface. >>>> >>> I tested this already and it doesn't work. >>> >>> non-vnet jail with lo99 for the nic and ip address of 10.0.28.5 can >>> still reach the public internet. > > Do you have bridging or routing enabled? > > Routing can receive foreign packets on an interface and route them to a > different interface. > > Bridging connects interfaces, sending the same packets on each. > > > While I don't have jails setup, I use sysutils/vm-bhyve for bhyve > instances. I have two "vm switches" which are bridge interfaces > connecting bhyve instances with physical interfaces, one bridges with > wlan0 and allows a vm to get internet access, the second bridges with > re0, which has no physical connection and provides no internet access to > bhyve instances, but I can ssh into it from the host. > > I have - > net.link.bridge.ipfw: 0 > net.link.bridge.ipfw_arp: 0 > net.link.bridge.pfil_bridge: 1 > net.link.bridge.pfil_onlyip: 1 > net.inet.ip.sourceroute: 0 > Using 12.1 generic with the system default for those settings.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5F2BECFC.9010002>