From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 18:43:33 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0119C16A41C for ; Mon, 27 Jun 2005 18:43:33 +0000 (GMT) (envelope-from mario@schmut.com) Received: from mail.schmut.com (dsl092-049-002.sfo4.dsl.speakeasy.net [66.92.49.2]) by mx1.FreeBSD.org (Postfix) with SMTP id CAD5C43D48 for ; Mon, 27 Jun 2005 18:43:32 +0000 (GMT) (envelope-from mario@schmut.com) Received: (qmail 60924 invoked by uid 89); 27 Jun 2005 18:43:32 -0000 Received: from schmut.com (snoopy.schmut.com [192.168.23.1]) by snoopy.schmut.com (tmda-ofmipd) with ESMTP; Mon, 27 Jun 2005 11:43:29 -0700 (PDT) Received: from 209.213.222.98 (SquirrelMail authenticated user mario@schmut.com) by mail.schmut.com with HTTP; Mon, 27 Jun 2005 11:43:29 -0700 (PDT) Message-ID: <20688.209.213.222.98.1119897809.squirrel@mail.schmut.com> Date: Mon, 27 Jun 2005 11:43:29 -0700 (PDT) To: In-Reply-To: <200506271336.j5RDamWY022065@ms-smtp-01-eri0.ohiordc.rr.com> References: <200506271336.j5RDamWY022065@ms-smtp-01-eri0.ohiordc.rr.com> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.9) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) From: mario X-Primary-Address: mario@schmut.com Cc: freebsd-security@freebsd.org Subject: Re: running jail with alternate IP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: mario List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 18:43:33 -0000 So, Raymond Wagner wrote: > I am currently setting up a firewall that translates my internal network > over to 5 public IP addresses. The addresses are dynamically assigned, > so I use ddclient to update my www.dyndns.org account. I've set up > several aliases on the external interface of the firewall, and succeeded > in having the internal computers use those extra public IPs. > > What I want to do is have 5 copies of ddclient all running in separate > jails bound to different public IPs. I did some experimenting with > jail, jailing a shell and then running lynx to www.whatismyip.com. I > had to open up the firewall to get it to work, and then it gave me the > public IP address bound to the first IP on the interface. Looking at > the firewall logs, it seems as if jail is sending packets on the main IP > (the non-aliased one), but modifying the header so they return to the > aliased IP that was given to it when running the jail command. > > Is this how jail is supposed to operate, or am I doing something wrong? i don't know about the implications of jail, but as far as i know, when you have multiple interfaces going to the same subnet, in your case your provider and the internet, only 1 of those ips can have it's netmask set for that subnet and all the other netmasks have to be 255.255.255.255. This implies that all outbound packets routed to your gateway (presumably your provider) are routed through that one ip. mario;>