From owner-freebsd-questions@FreeBSD.ORG Thu Nov 19 04:29:34 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C292C1065672 for ; Thu, 19 Nov 2009 04:29:34 +0000 (UTC) (envelope-from admik@b.admik.pp.ru) Received: from b.admik.pp.ru (b.admik.pp.ru [95.172.133.149]) by mx1.freebsd.org (Postfix) with ESMTP id EE8278FC14 for ; Thu, 19 Nov 2009 04:29:33 +0000 (UTC) Received: from b.admik.pp.ru (b.admik.pp.ru [95.172.133.149]) by b.admik.pp.ru (8.14.3/8.14.2) with ESMTP id nAJ4TLSw028679 for ; Thu, 19 Nov 2009 11:29:21 +0700 (KRAT) (envelope-from admik@b.admik.pp.ru) Received: (from admik@localhost) by b.admik.pp.ru (8.14.3/8.14.2/Submit) id nAJ4TLUq028678 for questions@freebsd.org; Thu, 19 Nov 2009 11:29:21 +0700 (KRAT) (envelope-from admik) Date: Thu, 19 Nov 2009 11:29:20 +0700 From: Michael Svobodin To: questions@freebsd.org Message-ID: <20091119042920.GA16531@b.admik.pp.ru> References: <4B02A81F.1030101@shopzeus.com> <44tyws3n28.fsf@be-well.ilk.org> <4B02E742.4010705@shopzeus.com> <20091118044836.GA70999@b.admik.pp.ru> <4B03ABBC.8020008@shopzeus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B03ABBC.8020008@shopzeus.com> User-Agent: Mutt/1.4.2.3i Cc: Subject: Re: jail - beginner questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2009 04:29:34 -0000 On Wed, Nov 18, 2009 at 09:09:32AM +0100, Laszlo Nagy wrote: > Great. Here is what I did: > > sorb# mkdir -p /usr/jails/vm1 > sorb# cd /usr/src > sorb# setenv D /usr/jails/vm1 > sorb# make installworld DESTDIR=$D > sorb# make distribution DESTDIR=$D > sorb# cat >> /etc/rc.conf > > jail_enable="YES" > jail_list="vm1" > jail_vm1_rootdir="/usr/jails/vm1" > jail_vm1_hostname="vm1.localdomain" > jail_vm1_ip="192.168.0.11" > jail_vm1_interface="lnc0" > jail_vm1_devfs_enable="YES" > jail_vm1_devfs_ruleset="vm1_ruleset" > > ^D > sorb#mount -t devfs devfs $D /dev > sorb# /etc/rc.d/jail start vm1 > Configuring jails:. > Starting jails:ifconfig: interface lnc0 does not exist > vm1.localdomain. > > See, I do not understand how this works. If I use a real physical > interface then it works: > > sorb# ifconfig > re0: flags=8843 metric 0 mtu 1500 > > options=389b > ether 00:1a:4d:7b:cf:d6 > inet X.X.X.X netmask 0xffffff00 broadcast X.X.X.255 > inet 192.168.0.11 netmask 0xffffffff broadcast 192.168.0.11 > media: Ethernet autoselect (100baseTX ) > status: active I thought that your physical interface is the lnc0 on the host FreeBSD. The jail startup script doesn't create any interfaces itself. It uses any interface that extists in the host OS, and sets the ip address on it. So, you can use either re0 or lo0. > where X.X.X.X is my public internet IP address. But I do not like this. > I do not want to expose my jail's private IP address to the internet. Am > I too paranoid? Should I just add rules like > > ipfw add 1000 allow all from X.X.X.X to 192.168.0.11 > ipfw add 1001 allow all from 192.168.0.11 to X.X.X.X > ipfw add 1002 deny all from any to 192.168.0.11 > ipfw add 1003 deny all from 192.168.0.11 to any > > and be happy? Or would it be better to create a virtual ethernet > interface for my jails? Somehow? If you want to hide your jail then you can use the interface lo0. jail_vm1_interface="lo0" Suppose that your public ip address is 192.168.201.50. Then start the natd: # natd -a 192.168.201.50 and add to ipfw these divert rules: # ipfw add 10 divert natd all from any to 192.168.201.50 in # ipfw add 20 divert natd all from 192.168.0.11 to any out after that add to ipfw rules to allow the traffic diverted above or you can allow all for testing: # ipfw add 30 allow all from any to any Now your jail is hidden from the outer network. But inside the jail the network is working.