From owner-freebsd-stable@FreeBSD.ORG Wed Oct 26 14:57:27 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98D1F106566B for ; Wed, 26 Oct 2011 14:57:27 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with ESMTP id 4CD298FC16 for ; Wed, 26 Oct 2011 14:57:27 +0000 (UTC) Received: (qmail 20974 invoked by uid 89); 26 Oct 2011 14:30:45 -0000 Received: from localhost (HELO pop.pknet.net) (127.0.0.1) by poshta.pknet.net with ESMTP; 26 Oct 2011 14:30:45 -0000 Received: from 74.63.162.21 (SquirrelMail authenticated user fbsdq@peterk.org) by pop.pknet.net with HTTP; Wed, 26 Oct 2011 08:30:45 -0600 Message-ID: In-Reply-To: <4EA7BC66.3090304@gmail.com> References: <4EA721A7.8050905@gmail.com> <20111026031202.2a8780f9@davenulle.org> <4EA7BC66.3090304@gmail.com> Date: Wed, 26 Oct 2011 08:30:45 -0600 From: "Peter" To: "carlopmart" User-Agent: SquirrelMail/1.4.21 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-stable@freebsd.org Subject: Re: Some questions about jails on FreeBSD9.0-RC1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2011 14:57:27 -0000 > On 10/26/2011 03:12 AM, Patrick Lamaiziere wrote: >> Le Tue, 25 Oct 2011 22:52:55 +0200, >> carlopmart a écrit : >> >> Hello, >> >>> I have installed one FreeBSD 9.0-RC1 host to run different services >>> (dns, smtp and www only) using jails. This host has two physical >>> nics: em0 and em1. em0 is assigned to pyhiscal host, and I would like >>> to assign em1 to jails. But em0 and em1 are on different networks: >>> em0 is on 192.168.1.0/24 and em1 in 192.168.2.0/29. >>> >>> I have setup one jail using ezjail. My first surprise is that >>> ezjail only installs -RELEASE versions and not RC versions. Ok, I >>> supouse that it is normal. But my first question is: can I install a >>> FreeBSD 8.2 jail under a FreeBSD 9.0 host?? >> >> You may run 8.2 installed ports on 9.0 by using the port >> /usr/ports/misc/compat8x/ >> >> But I suggest to upgrade the port ASAP. >> >>> And the real question: How do I need to configure network under >>> this jail to access it? I have configured ifconfig param for em1 on >>> host's rc.conf, but what about the default route under this jail?? I >>> thought to use pf rules, but I am not sure. >> >> jail enforces the use of the jail IP address in the jail, but that's >> all. Just enable routing on the host. >> > > But, that is not possible. Between host and jail exists a firewall ... I > can't do simple routing with the host. Maybe a posible solution is to > use policy source routing ?? > > > > -- > CL Martinez > carlopmart {at} gmail {d0t} com > _______________________________________________ I'm using FIBs. The host is in on a private network with gateway of 192.168.1.1 and jails are on public network with their own real/public gateway. FIBs work without the box becoming a gateway: %grep gateway /etc/rc.conf gateway_enable="NO" I have this in system startup to setup "public gateway" for jails: %cat /usr/local/etc/rc.d/0.setfib.sh #!/bin/sh echo setfib 1 for public jails /usr/sbin/setfib 1 /sbin/route add default 216.241.167.1 and in /usr/local/etc/ezjail/myjail I added this line to the end of configs: export jail_myjail_fib="1" [/usr/sbin/jail has FIB support built in, but at that time ezjail did not, so I had to manually add it in the config - nowadays I believe ezjail has FIB support natively, but the resulting config file is the same] The host is using NAT to get out via private IP, and jails are available via public IP. All the IPs are defined in rc.conf the normal _alias way. FIB support as I remember needs a custom kernel - not sure about 9, this is in 8.2. I even run openbsd spamd on the host and using FIBs to start the spamd daemon via a 'setfib 1' wrapper script: %cat /usr/local/etc/rc.d/obspamdfib.sh #!/bin/sh # # this just calls the orignal file, but with setfib 1 /usr/sbin/setfib 1 /usr/local/etc/rc.d.fib/obspamd $1 I had moved the 'obspamd' startup script to rc.d.fib just so a 'setfib 1' wrapper is called. ]Peter[ FIBs are awesome when you don't have many public IPs and when host is _only_ a jail host running no services