From owner-freebsd-jail@FreeBSD.ORG Thu Mar 7 16:39:52 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C7BDFE23 for ; Thu, 7 Mar 2013 16:39:52 +0000 (UTC) (envelope-from bsam@passap.ru) Received: from forward13.mail.yandex.net (forward13.mail.yandex.net [IPv6:2a02:6b8:0:801::3]) by mx1.freebsd.org (Postfix) with ESMTP id 4184263A for ; Thu, 7 Mar 2013 16:39:52 +0000 (UTC) Received: from smtp13.mail.yandex.net (smtp13.mail.yandex.net [95.108.130.68]) by forward13.mail.yandex.net (Yandex) with ESMTP id 582AD1414B5; Thu, 7 Mar 2013 20:39:48 +0400 (MSK) Received: from smtp13.mail.yandex.net (localhost [127.0.0.1]) by smtp13.mail.yandex.net (Yandex) with ESMTP id 2A810E4057C; Thu, 7 Mar 2013 20:39:48 +0400 (MSK) Received: from 87.249.28.58.tel.ru (87.249.28.58.tel.ru [87.249.28.58]) by smtp13.mail.yandex.net (nwsmtp/Yandex) with ESMTP id dl4a8CBY-dl4OptAm; Thu, 7 Mar 2013 20:39:47 +0400 Message-ID: <5138C2D3.5080505@passap.ru> Date: Thu, 07 Mar 2013 20:39:47 +0400 From: Boris Samorodov User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130113 Thunderbird/17.0.2 MIME-Version: 1.0 To: Yoann Gini Subject: =?UTF-8?B?UmU6IElQdjQgYWRkcmVzc2VzIGNsYXNoIC8gamFpbHMgbm90IHdvcms=?= =?UTF-8?B?aW5nIGFmdGVyIHJlYm9vdOKApg==?= References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 16:39:52 -0000 07.03.2013 16:29, Yoann Gini пишет: > > Le 7 mars 2013 à 10:58, Boris Samorodov a écrit : > >> 07.03.2013 12:48, Yoann Gini пишет: >> >>> I need to share this IP, I’ve only one and I would like to avoid playing with NAT… >> >> One IP may be shared but for different services (ports). > > That what I’ve understand and what I’ve planned. > >>> If someone have a idea… >> >> Give some more information: >> 1. OS version, OS arch. > > FreeBSD srv0.public.example.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > >> 2. Jail configuration (at least one) from /etc and LOCALBASE/etc/ezjail. > > What do you want in /etc ? Except the fstab, I don’t see any config here, the fstab look like that: > > /home/jails/basejail /home/jails/front0.public.example.com/basejail nullfs ro 0 0 > /usr/ports /home/jails/front0.public.example.com/usr/ports nullfs ro 0 0 > > And here is the ezjail config > > export jail_front0_public_example_com_hostname="front0.public.example.com" > export jail_front0_public_example_com_ip=« IPv6Prefix::80,SharedIPv4,10.42.0.2" > export jail_front0_public_example_com_rootdir="/home/jails/front0.public.example.com" > export jail_front0_public_example_com_exec_start="/bin/sh /etc/rc" > export jail_front0_public_example_com_exec_stop="" > export jail_front0_public_example_com_mount_enable="YES" > export jail_front0_public_example_com_devfs_enable="YES" > export jail_front0_public_example_com_devfs_ruleset="devfsrules_jail" > export jail_front0_public_example_com_procfs_enable="YES" > export jail_front0_public_example_com_fdescfs_enable="YES" > export jail_front0_public_example_com_image="" > export jail_front0_public_example_com_imagetype="" > export jail_front0_public_example_com_attachparams="" > export jail_front0_public_example_com_attachblocking="" > export jail_front0_public_example_com_forceblocking="" > export jail_front0_public_example_com_zfs_datasets="" > export jail_front0_public_example_com_cpuset="" > export jail_front0_public_example_com_fib="" > >> 3. What do you want to achieve. > > I want a setup with: > — srv0 listen only for SSH on a alternate port for supervision on public IPv4/6 ; > — front0 to handle any public services (web, DNS, e-mail) on public IPv4/6 ; > — service0 to handle internal services (git, redmine, AFP sharepoints…) on private IP and SSH on a other alternate port on public IPv4/6 ; > — gateway0 to act as a VPN server and webproxy to secure access to private services on service0 and act as a secure gateway to encrypt network traffic for road-warriors on public network. > > In the end, I will dispatch those services on different server but for now I only access to one system, so I would like to prepare the setup to be dispatched on different hardware when the budget come. That's all seems reasonable... > Actually, if I remove the SharedIPv4 from the jails, it works. Did you configure any sysctl parameters for jails? -- WBR, Boris Samorodov (bsam) FreeBSD Committer, http://www.FreeBSD.org The Power To Serve