Date: Wed, 18 Nov 2009 09:09:32 +0100 From: Laszlo Nagy <gandalf@shopzeus.com> To: Michael Svobodin <admik@admik.pp.ru> Cc: questions@freebsd.org Subject: Re: jail - beginner questions Message-ID: <4B03ABBC.8020008@shopzeus.com> In-Reply-To: <20091118044836.GA70999@b.admik.pp.ru> References: <4B02A81F.1030101@shopzeus.com> <44tyws3n28.fsf@be-well.ilk.org> <4B02E742.4010705@shopzeus.com> <20091118044836.GA70999@b.admik.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> The address 192.168.0.11 must be assigned to a interface in the host FreeBSD. > You can do it before starting the jail, or when the jail is being started. > > To assign the address before starting the jail do somthing like this: > # ifconfig lnc0 alias 192.168.0.11/24 > where lnc0 is the name of nic in the host FreeBSD > Great. Here is what I did: sorb# mkdir -p /usr/jails/vm1 sorb# cd /usr/src sorb# setenv D /usr/jails/vm1 sorb# make installworld DESTDIR=$D sorb# make distribution DESTDIR=$D sorb# cat >> /etc/rc.conf jail_enable="YES" jail_list="vm1" jail_vm1_rootdir="/usr/jails/vm1" jail_vm1_hostname="vm1.localdomain" jail_vm1_ip="192.168.0.11" jail_vm1_interface="lnc0" jail_vm1_devfs_enable="YES" jail_vm1_devfs_ruleset="vm1_ruleset" ^D sorb#mount -t devfs devfs $D /dev sorb# /etc/rc.d/jail start vm1 Configuring jails:. Starting jails:ifconfig: interface lnc0 does not exist vm1.localdomain. See, I do not understand how this works. If I use a real physical interface then it works: sorb# ifconfig re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC> ether 00:1a:4d:7b:cf:d6 inet X.X.X.X netmask 0xffffff00 broadcast X.X.X.255 inet 192.168.0.11 netmask 0xffffffff broadcast 192.168.0.11 media: Ethernet autoselect (100baseTX <full-duplex>) status: active where X.X.X.X is my public internet IP address. But I do not like this. I do not want to expose my jail's private IP address to the internet. Am I too paranoid? Should I just add rules like ipfw add 1000 allow all from X.X.X.X to 192.168.0.11 ipfw add 1001 allow all from 192.168.0.11 to X.X.X.X ipfw add 1002 deny all from any to 192.168.0.11 ipfw add 1003 deny all from 192.168.0.11 to any and be happy? Or would it be better to create a virtual ethernet interface for my jails? Somehow? > d.) It requires to use firewall either ipfw or pf. > For example you can add to your /etc/pf.conf: > nat on lnc0 from 192.168.0.11 to any -> 192.168.37.133 > > But the firewall requires more lines then this one to work correcly with all network traffic. > And you have to know exactly what you want to get for using it. > I'm using ipfw. I think I'll use natd+divert on the host. Thank you very much! I feel I'm over the hard part. :-) Laszlo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B03ABBC.8020008>