From owner-freebsd-stable@FreeBSD.ORG Wed Feb 8 16:43:27 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20C8816A420 for ; Wed, 8 Feb 2006 16:43:27 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF0F843D46 for ; Wed, 8 Feb 2006 16:43:25 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (netwva@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k18GhJtY069699 for ; Wed, 8 Feb 2006 17:43:24 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k18GhJNg069698; Wed, 8 Feb 2006 17:43:19 +0100 (CET) (envelope-from olli) Date: Wed, 8 Feb 2006 17:43:19 +0100 (CET) Message-Id: <200602081643.k18GhJNg069698@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG In-Reply-To: <20060208121704.L3207@ganymede.hub.org> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Wed, 08 Feb 2006 17:43:24 +0100 (CET) Cc: Subject: Re: OpenVPN within a Jail under 6.x ... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Feb 2006 16:43:27 -0000 Marc G. Fournier wrote: > Oliver Fromme wrote: > > The problem is that you need to configure interfaces > > (tun(4) or tap(4)) to set up the VPN, but ifconfig(8) > > does not work inside a jail. That means you cannot > > set up a VPN inside a jail. However, you can _use_ > > it within a jail, of course, if you assign the IP of > > the VPN connection to the jail > > 'k, how would you do that? I thought you could only assign one IP to a > jail, both in 4.x and 6.x? True. I meant that the IP of the VPN connection is the only IP of the jail. Or, if you can't do that, forward the packets into the jail using IPFW FWD rules and NAT. In that case, the jail doesn't need to have the VPN connection's IP. In fact, you can set the IP of the jail to a localnet IP (such as 127.0.1.1), which isn't routable and isn't accessible from the outside at all. That's often done to improve security. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. (On the statement print "42 monkeys" + "1 snake":) By the way, both perl and Python get this wrong. Perl gives 43 and Python gives "42 monkeys1 snake", when the answer is clearly "41 monkeys and 1 fat snake". -- Jim Fulton