From owner-freebsd-net@FreeBSD.ORG Fri Apr 25 05:40:01 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7D8A3477 for ; Fri, 25 Apr 2014 05:40:01 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3651F1076 for ; Fri, 25 Apr 2014 05:40:00 +0000 (UTC) Received: from jre-mbp.elischer.org (ppp121-45-232-70.lns20.per1.internode.on.net [121.45.232.70]) (authenticated bits=0) by vps1.elischer.org (8.14.8/8.14.8) with ESMTP id s3P5dpGw054914 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 24 Apr 2014 22:39:53 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <5359F522.5080905@freebsd.org> Date: Fri, 25 Apr 2014 13:39:46 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Rob J , freebsd-net@freebsd.org Subject: Re: vnet - using a jail as a default firewall gateway to internet References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 05:40:01 -0000 On 4/25/14, 7:23 AM, Rob J wrote: > Hi, > > I have been playing with vnet jails, and have a configuration working that > I thought would not be (based on the docs out there), but it is. I have a > box with 3 NICS - hme0, em0 and em1. Basically, with the assumption that > the internet facing gateway is potentially a weak point, I set out to > configure a jail on the above box to be the gateway, rather than the > physical host itself. I recompiled the kernel, with the VIMAGE option, and > setup a jail that uses em0 (192.168.x.y) as the lan side and hme0 (public > IP a.b.c.d) is the ISP side. Conceptually, the normal base system is just a single instance of a vnet jail, so any situation that you can do with a separate machine as router should be doable with a vnet jail in that role. the error messages you see are because some sysctls can not be done from within a jail. there may be a setting to allow them to happen in a jail... I have not checked. you may attach your regular 'base' system to teh jail using a physical ethernet, or it may have a shortcut with it's own epair or netgraph link to the router instance. this is exactly the sort of situation we wanted to write vnets for.. > On the jail itself, its default route to the internet is public IP a.b.c.e > (same network of interface hme0 above). Then I set the rest of my lan to > point to 192.168.x.y (interface em0 above) as the default gateway. I have > access to the internet with that configuration, routing through the jail > (or at least I think so) - everything seems to work. The two errors I get > upon starting the jail, are: "sysctl: net.inet.ip.sourceroute not > permitted" and "sysctl: net.inet.ip.accept_sourceroute not permitted. Any > body knows what may be broken with my configuration? All the docs I read > about having a jail route traffic seemed to imply it is undoable. > > Did I create a glaring whole in my network by having this design as my > firewall and router? I also noticed that the physical host is doing all > the logging for dmesg and security, when I thought the jail would, but it > is beginning to make sense that the kernel is only running on the physical > host, and therefore does the logging of all kernel related activities. > > Any comments or suggestions welcome. > > Thanks, > > Robert > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >