From owner-freebsd-questions@FreeBSD.ORG Sun Apr 18 07:59:05 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 130541065672 for ; Sun, 18 Apr 2010 07:59:05 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 7CEEA8FC14 for ; Sun, 18 Apr 2010 07:59:04 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o3I7wuZF065549 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sun, 18 Apr 2010 08:58:57 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4BCABBC0.5060905@infracaninophile.co.uk> Date: Sun, 18 Apr 2010 08:58:56 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Fbsd1 References: <4BCA5098.70908@a1poweruser.com> In-Reply-To: <4BCA5098.70908@a1poweruser.com> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on happy-idiot-talk.infracaninophile.co.uk Cc: FreeBSD Questions Subject: Re: Host firewall and jails X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Apr 2010 07:59:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18/04/2010 01:21:44, Fbsd1 wrote: > Just where do jails fall in reference to the host firewall? > Do jails see the inbound packets before the host's firewall does? No. The host firewall handles all of the incoming traffic before it gets to the jail. Unless you are using VIMAGE, when the jail can have its own separate network stack and firewall (ipfw only at the moment -- it crashes and burns in combination with pf). VIMAGE is experimental still and shouldn't be used on anything important. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvKu8AACgkQ8Mjk52CukIx/wQCffjKrcTk73HPro7ljLMGGNhcZ g6YAnjS/jNxww2TNTx9b2lQf2YB8itjm =vvuZ -----END PGP SIGNATURE-----