Date: Fri, 17 Jul 2020 16:31:53 -0400 From: Ernie Luzar <luzar722@gmail.com> To: Alexander Leidinger <Alexander@leidinger.net> Cc: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org, David Mehler <dave.mehler@gmail.com> Subject: Re: vnet jail for local only or public access Message-ID: <5F120AB9.8060209@gmail.com> In-Reply-To: <20200717152243.Horde.9H9QDqj9GtGFk_mayhRBsvs@webmail.leidinger.net> References: <CAPORhP5%2BQ8TX_DuwbdAfvqf97pX=SCRfgyOz%2BzvMqPdnJ2gmYA@mail.gmail.com> <5EFCD605.4000409@gmail.com> <CAPORhP7R26Y85-XjFXqKtAzr2A8RxHgK530CJzp8y73tcgjMDg@mail.gmail.com> <5EFD095F.4040507@gmail.com> <CAPORhP408Cmb2FG89VOpUJJZhGJ2KUG70%2B0pMnzyk3Xev4vi1Q@mail.gmail.com> <5F0119F3.40806@gmail.com> <CAPORhP7QpZ3=3iPfogcKsqf0gBtgLvOdbNLG9=-Hk=8XjNCrcA@mail.gmail.com> <5F049E65.8000701@gmail.com> <CAPORhP7q5s14qy7VcX0rSLbOimweh7aXZuqmPNzTSAchLOHe9w@mail.gmail.com> <5F0DEE4A.6080600@gmail.com> <CAPORhP74%2BVvsWQc-r7UX9pzuzOABxXeL3V1K7FEjJFDarMnyKQ@mail.gmail.com> <5F0F00EB.5010403@gmail.com> <CAPORhP4q6_vkxpPw3okKLmvsm9zPgUn6mDu1XT3x1U8q4uiuDw@mail.gmail.com> <5F0F0FBC.9020200@gmail.com> <CAPORhP77kh9VNR-ZP_1k_5vj-NM9dw1Vgxd3E_muVLNtiLsp6Q@mail.gmail.com> <5F0F152C.3040908@gmail.com> <CAPORhP4oNhA2vT5UG2OtV=JDbwcUCdXsXxzQXjZKSg1Fc6qe2Q@mail.gmail.com> <5F119D8F.7030407@gmail.com> <20200717152243.Horde.9H9QDqj9GtGFk_mayhRBsvs@webmail.leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Alexander Leidinger wrote: > Quoting Ernie Luzar <luzar722@gmail.com> (from Fri, 17 Jul 2020 08:46:07 > -0400): > >> Trying to figure out how to configure a vnet jail so it is restricted >> to only being able to talk to other vnet jails on the same host IE: >> local only vnet jails. As different to being able to access the public >> internet type of vnet jails. >> >> Using the bridge/epair method of connecting vnet jails to the host. >> [ based on this how-to ] >> https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071/ >> >> >> It's my understanding that this behavior is controlled by if the hosts >> interface connected to the public internet is added as a member to the >> bridge the vnet jails epairXa interfaces were members of. > > Partly correct. You can also have a setup where your host is routing > between what you call the public internet and the local only vnets. > >> I tested this on a remote vm and found that it made no difference one >> way or the other if the hosts interface connected to the public >> internet was added as a member to the bridge or not. In both cases the >> vnet jail had public internet access. > > It shouldn't, if there is no routing involved. > > Please show us "ifconfig -a" and "netstat -rn" of the host. > > Bye, > Alexander. > root >netstat -rn4 Routing tables Internet: Destination Gateway Flags Netif Expire default 65.25.48.1 UGS re0 10.0.0.0/8 link#1 U em0 10.0.10.2 link#1 UHS lo0 10.0.20.0/24 link#5 U bridge10 10.0.20.2 link#5 UHS lo0 xxx.25.48.0/20 link#2 U re0 xxx.25.51.0 link#2 UHS lo0 127.0.0.1 link#3 UH lo0 /root > /root >ifconfig -a em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER> ether d0:50:99:93:75:98 inet 10.0.10.2 netmask 0xff000000 broadcast 10.255.255.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE> ether 50:3e:aa:06:11:22 inet xxx.25.51.0 netmask 0xfffff000 broadcast 255.255.255.255 media: Ethernet autoselect (1000baseT <full-duplex,master>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> bridge10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: qjail-vnet-jail-only-bridge ether 02:3e:ba:a7:58:0a inet 10.0.20.2 netmask 0xffffff00 broadcast 255.255.255.0 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair4a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 6 priority 128 path cost 2000 groups: bridge nd6 options=1<PERFORMNUD> epair4a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: qjail-vnet-jail-dir10 options=8<VLAN_MTU> ether 02:f6:61:9a:b4:0a inet6 fe80::f6:61ff:fe9a:b40a%epair4a prefixlen 64 scopeid 0x6 groups: epair media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> Vnet jail can ping the public internet.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5F120AB9.8060209>