Date: Sun, 26 Jun 2016 09:43:53 -0600 From: Alan Somers <asomers@freebsd.org> To: org.freebsd.security@io7m.com Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: ifconfig: BRDGADD lo1: invalid argument Message-ID: <CAOtMX2gT-g8=VcsnOknAqGQmY4xG56GMPzHP5eAcRgsgNhAUeQ@mail.gmail.com> In-Reply-To: <20160626093754.5e534ff4@copperhead.int.arc7.info> References: <20160625164240.7cea7587@copperhead.int.arc7.info> <20160625234636.2f086908@x23> <20160625220551.646eccb6@copperhead.int.arc7.info> <CAOtMX2hv_ePxVwrzYaXBjcO=uCez4V50OGFGCrzjCV87az9RLw@mail.gmail.com> <20160626093754.5e534ff4@copperhead.int.arc7.info>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 26, 2016 at 3:37 AM, <org.freebsd.security@io7m.com> wrote: > Hello. > > On 2016-06-25T18:13:18 -0600 > Alan Somers <asomers@freebsd.org> wrote: > >> On Sat, Jun 25, 2016 at 4:05 PM, <org.freebsd.security@io7m.com> wrote: >> > I'm not using vnet jails. I'm actually just trying to get filtering of >> > outbound traffic (see the other mail I sent to this list a few seconds >> > before you responded). >> >> Based on my experience, I highly recommend vnet jails if you want >> outbound filtering. It's much simpler than trying to filter outbound >> traffic from shared-IP jails. > > I'm trying to look at vnet jails, but they still seem to be mostly > undocumented and not entirely supported. Lots of fairly recent posts > online regarding panics in day-to-day use. Using them in production > seems risky. Is there something I should be looking at in particular? I'm not sure how many known bugs they have. Adrian Chadd (adrian@) is the best person to ask. > > When you say shared-IP jails, what exactly are you referring to? I'm > not sure what's shared in this case; I have one public IP (it's a VPS) > but individual jails are on their own private loopback addresses. A shared-IP jail is the traditional, non-vnet type. You assign an alias address to one of the host's network interfaces, and then assign that address to the jail. It's called "shared-IP" because both host and jail can see a network interface with that IP address. > > M
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2gT-g8=VcsnOknAqGQmY4xG56GMPzHP5eAcRgsgNhAUeQ>