From owner-freebsd-jail@FreeBSD.ORG Fri Aug 2 20:44:50 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 21006E35 for ; Fri, 2 Aug 2013 20:44:50 +0000 (UTC) (envelope-from josh@signalboxes.net) Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D7B7E2A26 for ; Fri, 2 Aug 2013 20:44:49 +0000 (UTC) Received: by mail-oa0-f44.google.com with SMTP id l20so2368356oag.3 for ; Fri, 02 Aug 2013 13:44:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=XqzdPTnIjeCNNqeo3xK7fa8mJMz4UQlQ60NhEU0s/88=; b=FeCQF4siIolB3E0b34At4bpxfuBZHsZM3i2YiWLiSY/WSpkRhRVln0UzH2l/3Nvzvk 0T64oZXofh1O9Ji6LliyYwMU/5Z1P66IYhDlPD4UU6Tkdzb7XSsnlMtaiSIDxmYzsB/O hRs23+dOe68gHvT+T6BxCkoaL/ouZC02wfX70t2CeZTIbXZ8CqvZkVRdgdXCOAt7rf9b 5u8XkE2LvlVhan4Rrri73c4LavXYgkHXBkSRTly+h5iJKBggrJ1ZjcmuZ60Ow1y7LN1c qKQX80HFUx1G8jffRSGmaByFRg8xhLEjVVWztM9oIs2Yan+xZyUToYqg7dohwrm7wZmK wrVg== X-Received: by 10.182.176.67 with SMTP id cg3mr6413165obc.65.1375476288575; Fri, 02 Aug 2013 13:44:48 -0700 (PDT) Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [2607:f8b0:4003:c01::234]) by mx.google.com with ESMTPSA id z2sm10224549obi.3.2013.08.02.13.44.48 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 02 Aug 2013 13:44:48 -0700 (PDT) Received: by mail-ob0-f180.google.com with SMTP id up14so1988754obb.25 for ; Fri, 02 Aug 2013 13:44:47 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.60.60.167 with SMTP id i7mr6856549oer.58.1375476287769; Fri, 02 Aug 2013 13:44:47 -0700 (PDT) Received: by 10.60.133.38 with HTTP; Fri, 2 Aug 2013 13:44:47 -0700 (PDT) In-Reply-To: <51FBAE91.7030205@a1poweruser.com> References: <51FBAE91.7030205@a1poweruser.com> Date: Fri, 2 Aug 2013 14:44:47 -0600 Message-ID: Subject: Re: Starting jail breaks routing / multi-network jail From: Josh Beard To: Fbsd8 X-Gm-Message-State: ALoCoQno/KKwUi8KkQnHqY/unnhX2U3z6T6x+VuJ1xWhOQMHTviMSG0P7znGIZCgu3nY44V1w4JR Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Aug 2013 20:44:50 -0000 Thanks for the advice, but not totally correct. On Fri, Aug 2, 2013 at 7:05 AM, Fbsd8 wrote: > Josh Beard wrote: > >> Hello, >> >> I posted this on forums.freebsd.org ( >> http://forums.freebsd.org/**showthread.php?t=41135), >> but figured I may have >> better luck here. >> >> <--snipped--> > > > > Let me start of by saying I an no network expert. This is my understanding > of how jail works. > > 1. There are 2 ways to define jails, the legacy rc.d-script method where > the jail description parameters are in /etc/rc.conf and the jail(8) method > that finally has all the bugs fixed in 9.2 where the jail description > parameters are in /etc/jail.conf. These 2 methods can not be mixed together. > > 2. By design normal jails defined using either method ONLY access an > single NIC having a single or multiple IPv4/IPv6 ip address/addresses. > > 3. The only way to assign multiple NICs to a jail is by using the highly > experimental vimage software that has to be compiled into the hosts kernel > which limits the host to only using IPFW firewall. PF and IPF firewalls on > the host with vimage will case a hang. > No - I'm using multiple NICs on my jails with different addresses without using vimage. > > 4. fib's are only configured on the host, it takes an boot option or the > kernel has to be recompiled to increase the number of system fibs available > to the host before you can assign a second one to a jail. > > 5. This is incorrect syntax > ip="igb0|172.30.112.192,igb1|**24.111.1.a" > should be > ip="172.30.112.192,24.111.1.a" > No nic device name. Not issuing a error does not mean its correct. > That *does* work! Again, I'm using ezjail. Not sure how stock jail configuration is. > > My jail system has 4 LAN only jails that have outbound access to the > public internet and 2 public accessible jails for my web and email servers > using the same public routable dynamic IPv4 IP address assigned by my ISP > without the need for special host firewall port redirection. > > I use the qjail version 3.1 utility to admin my jail system. > Due to the 9.2-BETA port freeze qjail-3.2 which adds IPv6 support has not > been committed to the port system yet. > > The port-make-files can be downloaded from here > http://sourceforge.net/**projects/qjail/files/Port%**20make%20files/ > > Good luck. > > > Thanks.