From owner-freebsd-jail@freebsd.org Mon May 30 18:47:00 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4D174B5450E for ; Mon, 30 May 2016 18:47:00 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from frv191.fwdcdn.com (frv191.fwdcdn.com [212.42.77.191]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 018F511F1 for ; Mon, 30 May 2016 18:46:59 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from [10.10.1.23] (helo=frv199.fwdcdn.com) by frv191.fwdcdn.com with esmtp ID 1b7RyU-000Pb9-Lt for freebsd-jail@freebsd.org; Mon, 30 May 2016 21:31:38 +0300 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=dt+XmoYZSSky8QgWA2lxqRU8t80Njd1S7gptiOFSv5M=; b=oUhLb3bK0QNolM7Ot0NVIIrnJGblwVhJlFEpUskMQO8kWIN2ob7wr4dE0je+4wS9Ntmw7RuNnMTChV5i6M32Fr9zMzECs19kx+QxXtvmqmdlnuWlu8fR4yn0ewagrtreihTSD47oS+FYL/TB0d0qswszpbmdB7M8X/RMNtuRhkU=; Received: from [10.10.10.34] (helo=frv34.fwdcdn.com) by frv199.fwdcdn.com with smtp ID 1b7RyJ-000PO8-EP for freebsd-jail@freebsd.org; Mon, 30 May 2016 21:31:27 +0300 Date: Mon, 30 May 2016 21:31:27 +0300 From: wishmaster Subject: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready? To: =?iso-8859-1?q?Sebasti=E1n?= Maruca Cc: freebsd-jail@freebsd.org X-Mailer: mail.ukr.net 5.0 Message-Id: <1464632136.649261509.wqj3p1n9@frv34.fwdcdn.com> In-Reply-To: <366569840.1294540.1464534933908.JavaMail.yahoo@mail.yahoo.com> References: <366569840.1294540.1464534933908.JavaMail.yahoo.ref@mail.yahoo.com> <366569840.1294540.1464534933908.JavaMail.yahoo@mail.yahoo.com> X-Reply-Action: reply Received: from artemrts@ukr.net by frv34.fwdcdn.com; Mon, 30 May 2016 21:31:27 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2016 18:47:00 -0000 Hi, > Hi to everyone! > I want to deploy several "jailed" firewalls, where each one of them would contain at least three multiple virtual interfaces (associated with virtual internal nets) like "WAN", "LAN" and "DMZ" for example... > First *innocent* question (I beg you pardon for my ignorance dealing with jails!) Can vnet/vimage help me deploy such a complex jailed environment??? Yes. If you need help you can email me privately. > Secod *innocent* question, so far so good, reading at jail manpage (circa July 6, 2015/FreeBSD 10.3) it seems VNET/VIMAGE is fully integrated to the FreeBSD kernel, is VNET/VIMAGE ready for production level??? Yes. I have been using vneted Jail from 10.0 in quite complex scenarios. Yes, there are some open issues with vnet (pf, memory leak on stopping jail and so on), but I think in 11-RELEASE this bugs will be fixed. Currently Bjorn Zeeb works on this problems. See https://svnweb.freebsd.org/base/projects/vnet/ But for now, you can safely use vnet. Just use IPFW and do not start/stop jails needlessly. > As a side note, at the host level would a be some kind of API/service that would deal with pfctl in order to rule flows between all of them... > Best regards,Seba -- Vitaliy