Date: Fri, 7 Feb 2014 08:38:02 +0000 From: krad <kraduk@gmail.com> To: Jim Ohlstein <jim@ohlste.in> Cc: FreeBSD Questions <freebsd-questions@freebsd.org>, Tyler Saylor <tyler@680x0.com> Subject: Re: pf and jails Message-ID: <CALfReyd%2BmLsEwBVFVuEzXRyU6WVUZ-%2BLw6j5OG_=Ozwt-xB%2BZw@mail.gmail.com> In-Reply-To: <52F3A8B7.3000608@ohlste.in> References: <CAEZtMDYgTned8uN0pJ1DstuHjOiNF3pu0cwZNwfjnL570tFxvQ@mail.gmail.com> <52F3A8B7.3000608@ohlste.in>
next in thread | previous in thread | raw e-mail | index | archive | help
It might be worth looking at VIMAGE jails as then you get a dedicated network stack for each jail, and a lot of these issues will go away On 6 February 2014 15:22, Jim Ohlstein <jim@ohlste.in> wrote: > Hello, > > > On 2/6/14, 9:34 AM, Tyler Saylor wrote: > >> Hello, >> >> I'm running FreeBSD 10-RELEASE on i386. I have setup a few jails for >> services such as httpd and postfix using ezjail. The host has one physical >> ethernet interface and I have five routeable IPv4 addresses; of the five, >> four are assigned to a jail and one is assigned to the host. I have a jail >> for mysql that is setup to use a clone of lo and the address "10.1.1.1". >> I'm also using pf to filter traffic to each service on the host. >> >> My question is this: How do I make it so that the other jails that are >> bound to routable addresses able to interact with the jail on 10.1.1.1? Is >> there some magic pf voodo I'm not understanding, or some mental deficiency >> I'm just now being made aware of? I've included my pf.conf and included an >> illustration. >> >> THanks for any help, >> //Tyler Saylor >> >> For illistration: >> >> Each pipe represents a real, routable ipv4 address assigned to the >> respective jail. The star represents the private address of the jail I'd >> like to be accesible from the others. >> >> em0--|--|--|--|--| lo1--* >> h w i m s m >> o w r a v y >> s w c i n s >> t l q >> l >> >> pf.conf >> >> http://pastebin.ca/2630464 >> > > > Assuming all of your jails are on the same loopback clone, and assuming > you have not set "skip-networking" in you rmy.cnf, they should be able to > talk to one another using the IP of the jail in question. > > Have you tried telnet? > > # telnet 10.1.1.1 3306 > > That should give a result like: > > Trying 10.1.1.1... > Connected to 10.1.1.1. > Escape character is '^]'. > N > ... > > In your app, you'll probably need to set the "database host" or similar to > the jail IP (10.1.1.1 in this case) rather than to "localhost". > > -- > Jim Ohlstein > > > "Never argue with a fool, onlookers may not be able to tell the > difference." - Mark Twain > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALfReyd%2BmLsEwBVFVuEzXRyU6WVUZ-%2BLw6j5OG_=Ozwt-xB%2BZw>