Date: Fri, 26 Feb 2016 12:53:35 +0100 From: Sascha Biberhofer <s.biberhofer@sphericalelephant.com> To: User Questions <freebsd-questions@freebsd.org> Subject: Jails, loopback-addresses and IPv6 Message-ID: <20160226115335.GC1279@phosphorus>
next in thread | raw e-mail | index | archive | help
When setting up jails, the handbook mentions [1] that the loopback-address is an "alias" for the first IP-address assigned to that jail. In particular, listening on the loopback-address seems to be equivalent to listening on that IP, which might well be a globally reachable address. This - as far as I have understood this - leads one to create another loopback-device (e.g. lo1) and assign loopback-addresses like lo1|127.0.1.* to the jail and use stuff like pf to prevent other jails from accessing loopback-addresses not belonging to them (please correct me if I'm wrong on this). However, with IPv6, one has exactly one loopback-address (::1/128), hence such a setup can't easily be replicated. Is there any commonplace way to solve this? I could probably assign ULAs to each jail as the first IPv6-address, but this seems like a cumbersome workaround. People have also suggested switching to VIMAGE, which - as far as I can tell - isn't ready for production. Any thoughts/ideas/suggestions on this would be greatly appreciated. Cheers, Sascha [1] https://www.freebsd.org/doc/handbook/jails-ezjail.html 14.6.1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160226115335.GC1279>