From owner-freebsd-security@FreeBSD.ORG Thu May 4 15:27:49 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A262B16A500 for ; Thu, 4 May 2006 15:27:49 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30304.mail.mud.yahoo.com (web30304.mail.mud.yahoo.com [68.142.200.97]) by mx1.FreeBSD.org (Postfix) with SMTP id 2B37943D49 for ; Thu, 4 May 2006 15:27:49 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 7792 invoked by uid 60001); 4 May 2006 15:27:48 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=HJvUvF8D4dSMz0fpHEu4Wygw6yklB71AJG/ww9ZFrXLlCrY+PipPH3zHdvQkogba1EAuBlFrHmsw5/6zl7Xh2r6ZlvzrkKPdxASPc6oXTWFBLCEvDI40sXzfwJiuH8TB4ATI/nHP4P17abgiBXKtM3c9qLxWLRMEasWbxtRnDCg= ; Message-ID: <20060504152748.7790.qmail@web30304.mail.mud.yahoo.com> Received: from [213.54.80.130] by web30304.mail.mud.yahoo.com via HTTP; Thu, 04 May 2006 08:27:48 PDT Date: Thu, 4 May 2006 08:27:48 -0700 (PDT) From: "R. B. Riddick" To: nospam@mgedv.net, freebsd-security@FreeBSD.ORG In-Reply-To: <001401c66f8c$6dd0e8b0$01010101@avalon.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: RE: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 15:27:49 -0000 --- "No@SPAM@mgEDV.net" wrote: > this part i definitely don't get. let's assume this one: > > 192.168.10.1 = jail ip of the ws > 127.0.0.1 = jail ip of the db > sending to 127.0.0.1 is not possible on 192.168.134.1 (kernel > re-routes it to 192.168.134.1 if man jail is correct) > if i setup forwarding rules i'd have to setup something for > the real ip's port, no? > What do u mean with "real ip"? I assume u mean, something that does not start with 127... Then u could give ur jails IPs, that start with 10... (e. g. 10.2.2.2) > and, i assumed that the setup mentioned can live without additional > firewall rules. > Isn't the overhead caused by pf or ipfw neglectible? I just did a test with and without ipfw and found, that the minimum ping time without ipfw was 0.987sec and with 1.024sec, which possibly was caused by powerd, which throttled the CPU... I say, maybe u want to do some funny experiments to find it out? -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com