From owner-freebsd-questions@FreeBSD.ORG Mon Jul 7 16:51:36 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B2AA1065674 for ; Mon, 7 Jul 2008 16:51:36 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: from ti-out-0910.google.com (ti-out-0910.google.com [209.85.142.188]) by mx1.freebsd.org (Postfix) with ESMTP id EEBC88FC17 for ; Mon, 7 Jul 2008 16:51:35 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: by ti-out-0910.google.com with SMTP id d27so511919tid.3 for ; Mon, 07 Jul 2008 09:51:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=3ILW11u2lH9T8i8qTK/Z0pzLEHIIO6fgDD9+3BCJ1GQ=; b=XsK3uk8U21CxVzjmv13Ip8zUVHsSDbViB28twWdBDLB7sGS+V1xhOAGm9mQu9TqgV2 BXEu9SWAYaRAaKFGA4DLV8VQ25faI0BSkn+uOCQaQzsrzRCGK6g/xqEEcRHfGIn0B+0W jD8D21r/v0r45MtjjjW6dWogYnDmyi6nHHolw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=qFkjt0Vs6sUzHewK1TvKAWziAke8uzn2w0Mn+uekvv65D0A3SeUntdSEujxGXykCOo cqm+Zbvbp5Fedf59PQrjsygWSSPGffTf4/ezaDfAwvvki3o/j/b0Kfu8zpa2c3qnR+hZ 9cN4l976eOJbqLZED22PtHxdiI/D8u6R81ps0= Received: by 10.150.137.9 with SMTP id k9mr8452150ybd.235.1215449493494; Mon, 07 Jul 2008 09:51:33 -0700 (PDT) Received: by 10.151.111.10 with HTTP; Mon, 7 Jul 2008 09:51:33 -0700 (PDT) Message-ID: <2daa8b4e0807070951u607ff031v98b5b96103fdab4@mail.gmail.com> Date: Mon, 7 Jul 2008 09:51:33 -0700 From: "David Allen" To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Jails and IP Aliasing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jul 2008 16:51:36 -0000 Unless I'm losing my mind, I'm encountering what seems to yet another gotcha with jails. The following has been dumbed down for clarity and brevity. --------------------------------------------------------------------- # hostname jailhost.example.org # host jailhost jailhost.example.org has address 10.0.1.2 # ifconfig fxp0 fxp0: flags=8843 metric 0 mtu 1500 options=b ether 00:07:e9:c8:2e:32 inet 10.0.1.2 netmask 0xffffff00 broadcast 10.0.1.255 inet 10.0.1.3 netmask 0xffffffff broadcast 10.0.1.3 inet 10.0.1.4 netmask 0xffffffff broadcast 10.0.1.4 media: Ethernet autoselect (100baseTX ) status: active # grep jail /etc/rc.conf ... jail_ns_hostname="ns.example.org" jail_ns_ip="10.0.1.3" ... jail_mail_hostname="mail.example.org" jail_mail_ip="10.0.1.4" # sockstat -4l USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sendmail 11556 4 tcp4 10.0.1.4:25 *:* root syslogd 10591 6 udp4 10.0.1.4:514 *:* root sendmail 10438 4 tcp4 10.0.1.3:25 *:* bind named 4011 20 udp4 10.0.1.3:53 *:* bind named 4011 21 tcp4 10.0.1.3:53 *:* bind named 4011 22 tcp4 10.0.1.3:953 *:* root syslogd 897 6 udp4 10.0.1.3:514 *:* root sshd 715 3 tcp4 10.0.1.2:22 *:* root syslogd 563 6 udp4 127.0.0.1:514 *:* root sendmail 489 4 tcp4 127.0.0.1:25 *:* --------------------------------------------------------------------- If I telnet from the jailhost to mail.example.org 25, for example, both outgoing and incoming connections appear to sockstat, tcpdump, etc. on the jailhost as using the jail's IP address! Similarly, if I perform a DNS lookup on the jailhost (using the ns.example.org jail for resolution), both incoming and outgoing connections occur on the jail's IP address. Granted, everything is really happening over the loopback address, but a connection originating from the jailhost to a jail should appear to be using the jailhost's IP address, or so I'd like to think. If it doesn't, then the scenario is awkward at best when trying to understand or debug issues. The thought occurred to me, however, that I could add a new network card and reserve that for the IP aliases needed by the jails. But I'm not sure whether that will work in telling me who's who, or whether I'll discover another gotcha. ;-) Comments, questions and complaints all welcomed.