Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 25 Aug 2018 17:21:12 +0200
From:      Dave Cottlehuber <dch@skunkwerks.at>
To:        freebsd-questions@freebsd.org
Subject:   Re: Jails and networks
Message-ID:  <1535210472.40142.1485918024.52274C37@webmail.messagingengine.com>
In-Reply-To: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk>
References:  <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 23 Aug 2018, at 20:44, Norman Gray wrote:
> 
> Greetings.
>
>    * A forum post [3] describes setting up a jail using ezjail and pf.
> Now, I don't think I need pf in my situation, so I want to skip that
> part of the instructions.  But I now suspect I'm doing so naively.
>
> My host is on a 172.16.0.0/12 private network, which is routable
> locally, though it has to use a proxy to get to the web.  I want to set
> up a jail on (slightly at random) 192.168.11.128.

Your jail needs to have some way to send & receive traffic via the
host to the internet. Just adding a 192.168.0.0 address to the external
igb0 interface will only work if the adjacent router allows that, and
it almost certainly won't by default.

This means you need either NAT or routing on your system to take
care of this for you.

You might try your initial jail setup with a 17.16.0.0/12 address from
the same pool as your host, ensuring that the IP address is already
free, and then you can work through the other issues that crop up,
but soon you'll want pf for the jails on their own RFC1928 private
network.

I am no pf expert but something like this might be all you need:

# /etc/rc.conf additions
# jail networks
cloned_interfaces="${cloned_interfaces} lo1"
# provide a single IP for the jail using the IP you already chose
ifconfig_lo1="inet 192.168.11.128/16"
# provide additional 2 IPs for other jails
ifconfig_lo1_aliases="inet 192.168.11.129-130/32"
# and reboot

# /etc/pf.conf
# and `service pf start`

# interfaces
extl_if = "igb0"
jail_if = "lo1"

# networks
jail_net = $jail_if:network
internet = $extl_if:network

# clean packets are happy packets
scrub in all

# jails are allowed outbound connections but not inbound
# these should be set up explicitly using spiped or haproxy
nat on $extl_if proto tcp from   $jail_net to any -> ($extl_if)

A+
Dave

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1535210472.40142.1485918024.52274C37>