From owner-freebsd-questions@FreeBSD.ORG Wed Nov 18 08:09:38 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD70F1065698 for ; Wed, 18 Nov 2009 08:09:38 +0000 (UTC) (envelope-from gandalf@shopzeus.com) Received: from viefep17-int.chello.at (viefep17-int.chello.at [62.179.121.37]) by mx1.freebsd.org (Postfix) with ESMTP id 072018FC1C for ; Wed, 18 Nov 2009 08:09:37 +0000 (UTC) Received: from edge03.upc.biz ([192.168.13.238]) by viefep17-int.chello.at (InterMail vM.7.09.01.00 201-2219-108-20080618) with ESMTP id <20091118080936.VWTR9398.viefep17-int.chello.at@edge03.upc.biz>; Wed, 18 Nov 2009 09:09:36 +0100 Received: from laci.sznet ([80.99.119.49]) by edge03.upc.biz with edge id 6Y9Z1d01M1429wY03Y9amp; Wed, 18 Nov 2009 09:09:36 +0100 X-SourceIP: 80.99.119.49 Message-ID: <4B03ABBC.8020008@shopzeus.com> Date: Wed, 18 Nov 2009 09:09:32 +0100 From: Laszlo Nagy User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Michael Svobodin References: <4B02A81F.1030101@shopzeus.com> <44tyws3n28.fsf@be-well.ilk.org> <4B02E742.4010705@shopzeus.com> <20091118044836.GA70999@b.admik.pp.ru> In-Reply-To: <20091118044836.GA70999@b.admik.pp.ru> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Cc: questions@freebsd.org Subject: Re: jail - beginner questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2009 08:09:38 -0000 > The address 192.168.0.11 must be assigned to a interface in the host FreeBSD. > You can do it before starting the jail, or when the jail is being started. > > To assign the address before starting the jail do somthing like this: > # ifconfig lnc0 alias 192.168.0.11/24 > where lnc0 is the name of nic in the host FreeBSD > Great. Here is what I did: sorb# mkdir -p /usr/jails/vm1 sorb# cd /usr/src sorb# setenv D /usr/jails/vm1 sorb# make installworld DESTDIR=$D sorb# make distribution DESTDIR=$D sorb# cat >> /etc/rc.conf jail_enable="YES" jail_list="vm1" jail_vm1_rootdir="/usr/jails/vm1" jail_vm1_hostname="vm1.localdomain" jail_vm1_ip="192.168.0.11" jail_vm1_interface="lnc0" jail_vm1_devfs_enable="YES" jail_vm1_devfs_ruleset="vm1_ruleset" ^D sorb#mount -t devfs devfs $D /dev sorb# /etc/rc.d/jail start vm1 Configuring jails:. Starting jails:ifconfig: interface lnc0 does not exist vm1.localdomain. See, I do not understand how this works. If I use a real physical interface then it works: sorb# ifconfig re0: flags=8843 metric 0 mtu 1500 options=389b ether 00:1a:4d:7b:cf:d6 inet X.X.X.X netmask 0xffffff00 broadcast X.X.X.255 inet 192.168.0.11 netmask 0xffffffff broadcast 192.168.0.11 media: Ethernet autoselect (100baseTX ) status: active where X.X.X.X is my public internet IP address. But I do not like this. I do not want to expose my jail's private IP address to the internet. Am I too paranoid? Should I just add rules like ipfw add 1000 allow all from X.X.X.X to 192.168.0.11 ipfw add 1001 allow all from 192.168.0.11 to X.X.X.X ipfw add 1002 deny all from any to 192.168.0.11 ipfw add 1003 deny all from 192.168.0.11 to any and be happy? Or would it be better to create a virtual ethernet interface for my jails? Somehow? > d.) It requires to use firewall either ipfw or pf. > For example you can add to your /etc/pf.conf: > nat on lnc0 from 192.168.0.11 to any -> 192.168.37.133 > > But the firewall requires more lines then this one to work correcly with all network traffic. > And you have to know exactly what you want to get for using it. > I'm using ipfw. I think I'll use natd+divert on the host. Thank you very much! I feel I'm over the hard part. :-) Laszlo