From owner-freebsd-questions@FreeBSD.ORG Thu Aug 21 03:11:57 2014 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 260001A9 for ; Thu, 21 Aug 2014 03:11:57 +0000 (UTC) Received: from m2.gritton.org (gritton.org [63.246.134.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E86AF3928 for ; Thu, 21 Aug 2014 03:11:56 +0000 (UTC) Received: œ(authenticated bits=0) by m2.gritton.org (8.14.9/8.14.9) with ESMTP id s7L3BtmK026517; Wed, 20 Aug 2014 23:11:55 -0400 (EDT) (envelope-from jamie@gritton.org) Message-ID: <53F56375.8000300@gritton.org> Date: Wed, 20 Aug 2014 21:11:49 -0600 From: James Gritton User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: questions@freebsd.org Subject: Re: putting jails on public addresses References: <53F52D26.6070600@tysdomain.com> <53F55E7D.7030206@gritton.org> <53F5612F.7070902@tysdomain.com> In-Reply-To: <53F5612F.7070902@tysdomain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: tyler@tysdomain.com X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2014 03:11:57 -0000 On 8/20/2014 9:02 PM, Littlefield, Tyler wrote: > On 8/20/2014 10:50 PM, James Gritton wrote: >> On 8/20/2014 5:20 PM, Littlefield, Tyler wrote: >>> Hello: >>> I'd really like to put a couple of jails on publically accessible IP >>> addresses. I have 5 that my provider has assigned to me. Could >>> anyone possibly shed >>> some light on how to do this? I know of epairs, but I'm not sure >>> exactly how this works: does each interface (a and b) get an >>> address? I presume one would >>> be 192.168.0.8 and the other would be x.x.x.x (where x.x.x.x is the >>> public address)? Which one should i set the gateway on? >>> Thanks a lot for the help, >> >> You shouldn't need to mess with epair for most jails. Just specify >> the jails' addresses (ip4.addr=x.x.x.x) in your jail.conf, and be >> sure to have an "interface=foo0" global line. The simplest jail setup >> is one using publicly available addresses on a single interface, >> which sounds like what you have. >> > Hello: > Thanks a lot for the info. I guess I should have been a bit more > explicit: I want to be able to assign firewall rules to these separate > jails. I don't think I can assign rules based on address but have to > have some sort of interface. For example, port 80 will be open on two > jails, but one should have rate limiting applied to it. > Thanks, Ah yes, that is indeed more complicated :-). I've never done any firewall rules involving interfaces, so I'm out of my depth there. I've had no problems with the simple things like restricting ports on different IP addresses on the same interface, but that doesn't mean I wouldn't have problems with rate limiting. If it does indeed take its own interface, you have to connect the other end to somewhere. The original Vimage work relied a lot on netgraph(4), but it sounds like you should be able to get by with at epair and an if_bridge. Your physical interface would bridged with one side of all the epairs, and the bridge would have the server address and all the jail addresses. Then each jail gets assigned the other half of one epair, and and internal IP address to go with it. All that sounds good in theory, but take it as the advice of someone who hasn't typed a single test command in that area :-). - Jamie