From owner-freebsd-security@FreeBSD.ORG Thu Jul 5 09:20:26 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 588B116A400 for ; Thu, 5 Jul 2007 09:20:26 +0000 (UTC) (envelope-from bc@default.co.yu) Received: from kaitan.default.co.yu (kaitan.default.co.yu [87.237.201.133]) by mx1.freebsd.org (Postfix) with SMTP id E0D2213C44C for ; Thu, 5 Jul 2007 09:20:25 +0000 (UTC) (envelope-from bc@default.co.yu) Received: (qmail 66262 invoked by uid 89); 5 Jul 2007 10:53:43 +0200 Received: from unknown (HELO ?192.168.0.90?) (bc@default.co.yu@87.237.200.9) by 0 with SMTP; 5 Jul 2007 10:53:43 +0200 From: bc To: freebsd-security@freebsd.org In-Reply-To: References: Content-Type: text/plain Organization: Default Inc. Date: Thu, 05 Jul 2007 10:54:36 +0200 Message-Id: <1183625676.894.282.camel@serafim.b61.bg.wi> Mime-Version: 1.0 X-Mailer: Evolution 2.8.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 09:20:26 -0000 On Mon, 2007-07-02 at 12:43 -0500, Matt Simerson wrote: > The problem I have with this arrangement is when a jail attempts to > connect to the public IP of another jails, the connection fails. So, > a client running in one jail can't send email to my mail server > running in another jail. You can try keeping up-to-date version of /etc/hosts with hostnames of public services pointing to you 127.0.0.2+ IPs. It's dirty, but at least keeps your pf.conf clean as much as possible. It works for me and it should for you if you dont move services around a lot. Then it requires lots of recursive changes in each jail if you move some service from one IP to another.