From owner-freebsd-current@FreeBSD.ORG Tue May 31 17:40:38 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2525616A41C for ; Tue, 31 May 2005 17:40:38 +0000 (GMT) (envelope-from julian@elischer.org) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id E90E943D1F for ; Tue, 31 May 2005 17:40:37 +0000 (GMT) (envelope-from julian@elischer.org) Received: from [208.206.78.97] (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id 8EC687A403; Tue, 31 May 2005 10:40:37 -0700 (PDT) Message-ID: <429CA195.3040900@elischer.org> Date: Tue, 31 May 2005 10:40:37 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050423 X-Accept-Language: en, hu MIME-Version: 1.0 To: Jeremie Le Hen References: <200505310014.50780@harrymail> <20050531104104.GL54337@obiwan.tataz.chchile.org> In-Reply-To: <20050531104104.GL54337@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Emanuel Strobl , freebsd-current@freebsd.org Subject: Re: different default gateway for jails planed/possible? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 17:40:38 -0000 Jeremie Le Hen wrote: >Hi Emanuel, > > > >>will it be possible to define a different default gateway for a jail? >>Imagine a system with two interfaces, one for the host on a local GbE >>Switch (with NFS service) and the other one connected to a different >>DMZ-Switch which should serve different jails. >>Now the DMZ is useless since anybody who broke into one jail can reach all >>hosts on the "host" interface without having the possibillity to restrict >>traffic on the router since the packets go straight to the GbE interface. >>This is a big security disadvantage and if I block these packets I can't >>any longer connect from machines inside the GbE network to the jails in >>the DMZ. The request will be routed but answers go down the "host" >>interface, instead to the DMZ router interface. Even a different default >>gateway wouldn't help in this case, the kernel had to "keep in mind" that >>packets from a jail mustn't be forwarded through any jail-foreign >>interface. Also the usual routing table had to be overwritten since >>packets from a jail should go over the router to the GbE network (although >>there is a well known route, the interface which has the GbE net >>configured). >>But at least packets from a jail should be limited that they can't pass any >>other interface(s) than the one(s) which belong to the particular jail. >>I think PFs route-to next-hop rule would be a workarround for my problem >>but I'm not too happy to have PF on a GbE Fileserver. >> >> > >I think you can use ipfw(8) as a workaround, since it knows about >jail IDs and can forward packets any IP address. Netgraph is maybe >an alternative, but I'm not sure about it. > > you are correct.. your best bet is to use the 'fwd' command of ipfw to send packets from the JAIL IP to a different gateway. >IMHO, hacking the IP stack in order to make it jail aware would lead >to a real mess. The right way to do this would be to have IP stack >virtualization, as it exists for RELENG_4 [1]. Unfortunately, this >is available neither for RELENG_5 nor CURRENT, and my coding skills >are clearly not good enough to do this. > > > >>Another jail question: Is it possible to limit resources on jail-basis? >>Like resource restrictions for useres in login.conf only for whole jails. >> >> > >AFAIK, no, this is not possible, this would need virtualization as well. > >[1] http://www.tel.fer.hr/zec/vimage/ >Regards, > >