From owner-freebsd-jail@freebsd.org Fri Jul 17 13:23:16 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C2B7C36550E; Fri, 17 Jul 2020 13:23:16 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4B7Wyq1H0lz4459; Fri, 17 Jul 2020 13:23:14 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from outgoing.leidinger.net (p5b165597.dip0.t-ipconnect.de [91.22.85.151]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (Client did not present a certificate) by mailgate.Leidinger.net (Postfix) with ESMTPSA id 3EE7215C1; Fri, 17 Jul 2020 15:23:05 +0200 (CEST) Received: from webmail.leidinger.net (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (Client did not present a certificate) by outgoing.leidinger.net (Postfix) with ESMTPS id 4463B1555; Fri, 17 Jul 2020 15:22:44 +0200 (CEST) Date: Fri, 17 Jul 2020 15:22:43 +0200 Message-ID: <20200717152243.Horde.9H9QDqj9GtGFk_mayhRBsvs@webmail.leidinger.net> From: Alexander Leidinger To: Ernie Luzar Cc: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org, David Mehler Subject: Re: vnet jail for local only or public access References: <5EFCD605.4000409@gmail.com> <5EFD095F.4040507@gmail.com> <5F0119F3.40806@gmail.com> <5F049E65.8000701@gmail.com> <5F0DEE4A.6080600@gmail.com> <5F0F00EB.5010403@gmail.com> <5F0F0FBC.9020200@gmail.com> <5F0F152C.3040908@gmail.com> <5F119D8F.7030407@gmail.com> In-Reply-To: <5F119D8F.7030407@gmail.com> Accept-Language: de,en Content-Type: multipart/signed; boundary="=_mYbDGekQFzpq8P4LMXcRkxV"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-Rspamd-Queue-Id: 4B7Wyq1H0lz4459 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.38 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; NEURAL_HAM_MEDIUM(-1.01)[-1.014]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; NEURAL_HAM_LONG(-0.97)[-0.974]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; NEURAL_HAM_SHORT(-0.30)[-0.295]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE]; FREEMAIL_CC(0.00)[freebsd.org,gmail.com]; RCVD_TLS_ALL(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[91.22.85.151:received] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2020 13:23:16 -0000 This message is in MIME format and has been PGP signed. --=_mYbDGekQFzpq8P4LMXcRkxV Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting Ernie Luzar (from Fri, 17 Jul 2020=20=20 08:46:07=20-0400): > Trying to figure out how to configure a vnet jail so it is=20=20 >=20restricted to only being able to talk to other vnet jails on the=20=20 >=20same host IE: local only vnet jails. As different to being able to=20= =20 >=20access the public internet type of vnet jails. > > Using the bridge/epair method of connecting vnet jails to the host. > [ based on this how-to ] > https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-= using-the-bridge-epair-method.76071/ > > It's my understanding that this behavior is controlled by if the=20=20 >=20hosts interface connected to the public internet is added as a=20=20 >=20member to the bridge the vnet jails epairXa interfaces were members=20= =20 >=20of. Partly correct. You can also have a setup where your host is routing=20=20 between=20what you call the public internet and the local only vnets. > I tested this on a remote vm and found that it made no difference=20=20 >=20one way or the other if the hosts interface connected to the public=20= =20 >=20internet was added as a member to the bridge or not. In both cases=20= =20 >=20the vnet jail had public internet access. It shouldn't, if there is no routing involved. Please show us "ifconfig -a" and "netstat -rn" of the host. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_mYbDGekQFzpq8P4LMXcRkxV Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJfEaYjAAoJEBINsJsD+NiGJFYP/1vE8iUmokaZJ94r37L32pX/ mVcEYQVRf38uiCZK3P6XfSdYvMcLCCCxf8L9dgLqWMNjvpMVkMO4wjTc3gqQipuG 7z8vhQiR2Gppy9Ty8ZZLhzmZaCOOGQSUpi2HI0EQPRvNe0XTNa5bzgF5ktJRdOKu CGDd0BU7M2b47xandWN6pRLqK9dbLf6Ax8rsDhqshSjzqSDFB99eztlfP7j22UXm mOlct9P6VwRUnJrgJrKLyH/C+CvFaIJpDiURxxjOugq0q9h996oPgGM4RD8GZ4fc gwFTlwmNitXDhG3Ak6tbU5tyemaT9PJNx4GN2+GNFzZHqOBLU1bXJE6Yc2VNSdXv rOzR7LDaYRtUO6A1x5qSLMimQoVJxfotoFI6ZJ6IsCJi2I8jgrxFkXn9YVJNU5Mj oAt8JtsOhnnow5K4WWkQzvP199F5M7DX7S0214/UZZXSJDK4f0QsighcnfKdrmUC US9tiY1Id98RFWLETkj5Ft1k0o7aKzj/psustP+qx9mGm8P2FClmR/jT19HkmAH7 VqrzV1CFvWidTQuocNHvIS9O4jJ0vYcWNjH/tZgzA09CrlQ8v7AeBcLmTcG0qGnP xNrouaqWMWLuYT3nQ15Rm8gKMXxb4pb7HRCOquYmIzwAv5acOg5DTKmUSv+avq7P ADgLKcxW2pL3uepGg00x =hWez -----END PGP SIGNATURE----- --=_mYbDGekQFzpq8P4LMXcRkxV--