Date: Thu, 21 Aug 2014 05:47:57 +0200 From: "Michael Ross" <gmx@ross.cx> To: "James Gritton" <jamie@gritton.org>, questions@freebsd.org, "Littlefield, Tyler" <tyler@tysdomain.com> Subject: Re: putting jails on public addresses Message-ID: <op.xkxbh7ucg7njmm@michael-think> In-Reply-To: <53F5612F.7070902@tysdomain.com> References: <53F52D26.6070600@tysdomain.com> <53F55E7D.7030206@gritton.org> <53F5612F.7070902@tysdomain.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 21 Aug 2014 05:02:07 +0200, Littlefield, Tyler <tyler@tysdomain.com> wrote: > On 8/20/2014 10:50 PM, James Gritton wrote: >> On 8/20/2014 5:20 PM, Littlefield, Tyler wrote: >>> Hello: >>> I'd really like to put a couple of jails on publically accessible IP >>> addresses. I have 5 that my provider has assigned to me. Could anyone >>> possibly shed >>> some light on how to do this? I know of epairs, but I'm not sure >>> exactly how this works: does each interface (a and b) get an address? >>> I presume one would >>> be 192.168.0.8 and the other would be x.x.x.x (where x.x.x.x is the >>> public address)? Which one should i set the gateway on? >>> Thanks a lot for the help, >> >> You shouldn't need to mess with epair for most jails. Just specify the >> jails' addresses (ip4.addr=x.x.x.x) in your jail.conf, and be sure to >> have an "interface=foo0" global line. The simplest jail setup is one >> using publicly available addresses on a single interface, which sounds >> like what you have. >> > Hello: > Thanks a lot for the info. I guess I should have been a bit more > explicit: I want to be able to assign firewall rules to these separate > jails. I don't think I can assign rules based on address but have to > have some sort of interface. For example, port 80 will be open on two > jails, but one should have rate limiting applied to it. > Thanks, > >> - Jamie > With ipfw, you could do something like: allow ip from any to <x.x.x.100> 80 allow ip from any to <x.x.x.101> 80 limit src-addr 4 reset ip from any to me 80 # catch-all Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.xkxbh7ucg7njmm>