From owner-freebsd-security@FreeBSD.ORG Wed Aug 27 01:56:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CFB916A4BF for ; Wed, 27 Aug 2003 01:56:18 -0700 (PDT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01A4A43FDD for ; Wed, 27 Aug 2003 01:56:17 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.9/8.12.9) with ESMTP id h7R8uFNn048959 for ; Wed, 27 Aug 2003 20:56:15 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Wed, 27 Aug 2003 20:56:15 +1200 (NZST) From: Andrew McNaughton To: freebsd-security@freebsd.org Message-ID: <20030827202228.P93986@a2.scoop.co.nz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: source addresses for IP traffic between jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 08:56:18 -0000 I'm setting up a server environment where I've got a bunch of jails running using aliased IPs on the same interface. I'd like to be able to use ipfw to place limits on the traffic between jails, but I'm running into problems. When I use tcpdump to look at TCP traffic from one jail to another, it shows both the source and destination IP for the packets as being the IP assigned to the jail which the connection is made to. When I look at UDP traffic (again using tcpdump) I see both the source and detination IP being that of the jail IP the particular packet is destined for. Given the situation above, is it possible for ipfw to distinguish which jails are involved in a packet exchange? I've wondered about giving each jail its own pseudo-interface. Are there any problems with creating many pseudo-interfaces like this? What sort of interface should I use? You apparently can't create multiple loopback interfaces which would be the obvious choice (ie `ifconfig lo1 create` does not work). The interface types I know about that allow creation of pseudo-interfaces are tunnel type interfaces which don't really suit this purpose. Is there something suitable? Given that packets are coming from a jail, is the packet construction I'm seeing correct, or should this be considered a bug? Andrew McNaughton -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton In Sydney Working on a Product Recommender System andrew@scoop.co.nz Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc