From owner-freebsd-stable@FreeBSD.ORG Thu Jan 8 13:53:22 2009 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 894791065670 for ; Thu, 8 Jan 2009 13:53:22 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 00D7C8FC08 for ; Thu, 8 Jan 2009 13:53:21 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id n08DrJ26009414; Thu, 8 Jan 2009 14:53:19 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id n08DrJUv009413; Thu, 8 Jan 2009 14:53:19 +0100 (CET) (envelope-from olli) Date: Thu, 8 Jan 2009 14:53:19 +0100 (CET) Message-Id: <200901081353.n08DrJUv009413@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG, spil.oss@gmail.com, lists@peter.de.com, ezjail@erdgeist.org In-Reply-To: <5fbf03c20901080310g69da867v1fc8dadcdb4ca7ae@mail.gmail.com> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.4-PRERELEASE-20080904 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 08 Jan 2009 14:53:20 +0100 (CET) Cc: Subject: Re: Problems with network in jail X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG, spil.oss@gmail.com, lists@peter.de.com, ezjail@erdgeist.org List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2009 13:53:23 -0000 Spil Oss wrote: > Thanks a lot! Will read up on that. (luckily I do speak > german/swiss-german). From discussions on ##FreeBSD IRC I learned that > it is not recommended to use lo0 for jails! Why would that be not recommended? In fact I think it is a very good idea to use lo0 addresses for jails, for security reasons, because they're guaranteed to not leave your local system. Therefore you have full control of what the process within the jail can do. If you want to grant specific network access to a jail (incoming or outgoing, or both), you add appropriate "fwd" rules to IPFW. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "That's what I love about GUIs: They make simple tasks easier, and complex tasks impossible." -- John William Chambless