Date: Fri, 17 Jul 2020 08:46:07 -0400 From: Ernie Luzar <luzar722@gmail.com> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>, David Mehler <dave.mehler@gmail.com>, Ernie Luzar <luzar722@gmail.com> Subject: vnet jail for local only or public access Message-ID: <5F119D8F.7030407@gmail.com> In-Reply-To: <CAPORhP4oNhA2vT5UG2OtV=JDbwcUCdXsXxzQXjZKSg1Fc6qe2Q@mail.gmail.com> References: <CAPORhP5%2BQ8TX_DuwbdAfvqf97pX=SCRfgyOz%2BzvMqPdnJ2gmYA@mail.gmail.com> <CAPORhP6a=3%2BF_xnYP-bL2MWoRYqjU7zXhNHQg6q4Bgg4P71Xsg@mail.gmail.com> <5EFCD605.4000409@gmail.com> <CAPORhP7R26Y85-XjFXqKtAzr2A8RxHgK530CJzp8y73tcgjMDg@mail.gmail.com> <5EFD095F.4040507@gmail.com> <CAPORhP408Cmb2FG89VOpUJJZhGJ2KUG70%2B0pMnzyk3Xev4vi1Q@mail.gmail.com> <5F0119F3.40806@gmail.com> <CAPORhP7QpZ3=3iPfogcKsqf0gBtgLvOdbNLG9=-Hk=8XjNCrcA@mail.gmail.com> <5F049E65.8000701@gmail.com> <CAPORhP7q5s14qy7VcX0rSLbOimweh7aXZuqmPNzTSAchLOHe9w@mail.gmail.com> <5F0DEE4A.6080600@gmail.com> <CAPORhP74%2BVvsWQc-r7UX9pzuzOABxXeL3V1K7FEjJFDarMnyKQ@mail.gmail.com> <5F0F00EB.5010403@gmail.com> <CAPORhP4q6_vkxpPw3okKLmvsm9zPgUn6mDu1XT3x1U8q4uiuDw@mail.gmail.com> <5F0F0FBC.9020200@gmail.com> <CAPORhP77kh9VNR-ZP_1k_5vj-NM9dw1Vgxd3E_muVLNtiLsp6Q@mail.gmail.com> <5F0F152C.3040908@gmail.com> <CAPORhP4oNhA2vT5UG2OtV=JDbwcUCdXsXxzQXjZKSg1Fc6qe2Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Trying to figure out how to configure a vnet jail so it is restricted to only being able to talk to other vnet jails on the same host IE: local only vnet jails. As different to being able to access the public internet type of vnet jails. Using the bridge/epair method of connecting vnet jails to the host. [ based on this how-to ] https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071/ It's my understanding that this behavior is controlled by if the hosts interface connected to the public internet is added as a member to the bridge the vnet jails epairXa interfaces were members of. I tested this on a remote vm and found that it made no difference one way or the other if the hosts interface connected to the public internet was added as a member to the bridge or not. In both cases the vnet jail had public internet access. On my home server I set up this scenario and observed the same behavior. This behavior raises some questions. Is it technically possible to segregate vnet jails into groups of vnet jails that are restricted to local host only access and another group that has public access? If so what is the mechanism that controls this ability? If I wanted both local only and public vnet jails on the same host I would think each group would need its own bridge. Where do we go from there? Is my understanding correct and this is a bug in if_bridge?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5F119D8F.7030407>