Date: Wed, 18 Nov 2009 09:09:32 +0100 From: Laszlo Nagy <gandalf@shopzeus.com> To: Michael Svobodin <admik@admik.pp.ru> Cc: questions@freebsd.org Subject: Re: jail - beginner questions Message-ID: <4B03ABBC.8020008@shopzeus.com> In-Reply-To: <20091118044836.GA70999@b.admik.pp.ru> References: <4B02A81F.1030101@shopzeus.com> <44tyws3n28.fsf@be-well.ilk.org> <4B02E742.4010705@shopzeus.com> <20091118044836.GA70999@b.admik.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> The address 192.168.0.11 must be assigned to a interface in the host FreeBSD.
> You can do it before starting the jail, or when the jail is being started.
>
> To assign the address before starting the jail do somthing like this:
> # ifconfig lnc0 alias 192.168.0.11/24
> where lnc0 is the name of nic in the host FreeBSD
>
Great. Here is what I did:
sorb# mkdir -p /usr/jails/vm1
sorb# cd /usr/src
sorb# setenv D /usr/jails/vm1
sorb# make installworld DESTDIR=$D
sorb# make distribution DESTDIR=$D
sorb# cat >> /etc/rc.conf
jail_enable="YES"
jail_list="vm1"
jail_vm1_rootdir="/usr/jails/vm1"
jail_vm1_hostname="vm1.localdomain"
jail_vm1_ip="192.168.0.11"
jail_vm1_interface="lnc0"
jail_vm1_devfs_enable="YES"
jail_vm1_devfs_ruleset="vm1_ruleset"
^D
sorb#mount -t devfs devfs $D /dev
sorb# /etc/rc.d/jail start vm1
Configuring jails:.
Starting jails:ifconfig: interface lnc0 does not exist
vm1.localdomain.
See, I do not understand how this works. If I use a real physical
interface then it works:
sorb# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
ether 00:1a:4d:7b:cf:d6
inet X.X.X.X netmask 0xffffff00 broadcast X.X.X.255
inet 192.168.0.11 netmask 0xffffffff broadcast 192.168.0.11
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
where X.X.X.X is my public internet IP address. But I do not like this.
I do not want to expose my jail's private IP address to the internet. Am
I too paranoid? Should I just add rules like
ipfw add 1000 allow all from X.X.X.X to 192.168.0.11
ipfw add 1001 allow all from 192.168.0.11 to X.X.X.X
ipfw add 1002 deny all from any to 192.168.0.11
ipfw add 1003 deny all from 192.168.0.11 to any
and be happy? Or would it be better to create a virtual ethernet
interface for my jails? Somehow?
> d.) It requires to use firewall either ipfw or pf.
> For example you can add to your /etc/pf.conf:
> nat on lnc0 from 192.168.0.11 to any -> 192.168.37.133
>
> But the firewall requires more lines then this one to work correcly with all network traffic.
> And you have to know exactly what you want to get for using it.
>
I'm using ipfw. I think I'll use natd+divert on the host.
Thank you very much! I feel I'm over the hard part. :-)
Laszlo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B03ABBC.8020008>