Date: Wed, 11 Aug 2010 16:36:48 +0800 From: Fbsd8 <fbsd8@a1poweruser.com> To: "Randal L. Schwartz" <merlyn@stonehenge.com> Cc: freebsd-questions@freebsd.org Subject: Re: How to connect a jail to the web ? Message-ID: <4C626120.3080808@a1poweruser.com> In-Reply-To: <868w4dzwf8.fsf@red.stonehenge.com> References: <268321.67123.qm@web24608.mail.ird.yahoo.com> <4C61E8B1.7050605@a1poweruser.com> <86mxsuynm0.fsf@red.stonehenge.com> <4C620356.6070402@a1poweruser.com> <86fwylzyqd.fsf@red.stonehenge.com> <4C620FF5.1020900@a1poweruser.com> <868w4dzwf8.fsf@red.stonehenge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Randal L. Schwartz wrote: >>>>>> "Fbsd8" == Fbsd8 <fbsd8@a1poweruser.com> writes: > > Fbsd8> No. Your jail is assigned it's ip address when you create it. The > Fbsd8> alias gives the jail network access when you start the jail. Both > Fbsd8> ip address must match. > > Yup, and if that's a 10.x address, I'm not on the net. So I have to > route to it somehow. > > Fbsd8> Just assign the jail your public ip address when you create it. > > I was under the impression that the address had to be distinct, in order > to uniquely identify it. Are you saying that's not the case? If so, > the docs on jails are unclear. > > Fbsd8> "face the public" is a very large subject, which the answer depends on your > Fbsd8> hardware configuration, registered domain names and static ip > Fbsd8> addresses. > > Yes, I'm hoping not to burn a second or third public address for my > jail. Instead, I just want my jail to have a punch through (port 80, > port 25, etc) from my one public address. Is there a trick to this > without burning another public address? Or do I misunderstand (based on > poor docs) how a jail attaches itself to an interface? > > Fbsd8> Using jails requires the host system administrator to be well > Fbsd8> trained in networks and how public and private networks > Fbsd8> function. Jail documentation is not going to teach you this. > > Now you're just being condescending. It's fairly likely, almost > certain, that I've been dealing with IP traffic since before you could > type. > > What I'm asking for is the specifics of Jails. I *know* how IP traffic > works, and even what alias does. What I don't know is FreeBSD's > particulars that make this either hard or easy. I *do* know about pf, > having administered an OpenBSD box for a number of years. I'm just new > to jails, and since you're the "expert", you might have a little > patience on that realm, please. > First thing to keep in mind is jails were designed to be targeted by unique public routable static ip address, in that configuration each jail can run any mixture of services. Different jails on the gateway host using the same public routable static ip address can be targeted by service port number if that port number is not in use on the host or any other jail. This is implied usage,IE not specified in any control file. Lets say the freebsd gateway host has a single static ip address and you want jails on the gateway host to receive unsolicited inbound traffic for web server (port 80) and mail server (port 25). Your domain name points to the single static ip address. Create 2 jails assigned to the single static ip address without the jail auto alias function enabled. No gateway host firewall rules to stop inbound traffic on those ports, or have those ports NATED, but should have statefull rules to let traffic pass. The gateway host can not have a web server using port 80 or a mail server using port 25 or they will process the traffic before the jails see it. The only service running on the web server jail is apache listening on port 80 and the mail server jail (postfix) listening on port 25. In this configuration the web server can even service multiple domain name vhosts. Now if the gateway host has a non-static ip address (dynamic ip address) such as those assigned by ISP's providing DSL or cable internet services your public ip address may change on you when the lease time expires or the system reboots causing your jails to loose their public internet access. Some domain name registers have function where you run a task on you gateway host to monitor your public IP address, and if it changes submits to your domain name register a automatic request to change the ip address your domain name points to. Another gotcha is some DSL or cable providers of public internet services have their network designed as a LAN and you do not have a real public routable ip address EVER. In this case your jails can only be used for services restricted to your own private LAN. The service provider is NATing your traffic at their front door. You are SOL.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C626120.3080808>