Date: Sat, 17 Aug 2002 11:09:28 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Paulius Bulotas <paulius@kaktusas.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: jails and multiple networks Message-ID: <20020817100928.GB16764@happy-idiot-talk.infracaninophi> In-Reply-To: <20020816193247.GA36535@kaktusas.org> References: <20020816193247.GA36535@kaktusas.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 16, 2002 at 09:32:47PM +0200, Paulius Bulotas wrote:
> I've setuped 'master' pc with 2 jails in it, with 3 nic's to 3 different
> networks and only one default router (in master). Now I can connect to
> jails/master from outside, between jails and master. But I can't connect
> to outside from jails. So the question would be, is it possible at all
> and if yes, then how?
>
> All examples use ip aliases which share the same gateway (I assume ;),
> and I would like to use a different gateway for each jail.
Unfortunately, jail hosts aren't quite that independent of the main
system --- there's only one routing table in the main kernel, which
applies to both the master system and all the jails. The same is true
of most kernel based stuff.
However, all is not lost. The key phrase you need is "policy based
routing" which you should be able to Google for with reasonable
expectation of success. On FreeBSD policy based routing is
implemented using ipfw(8) to forward packets to the appropriate
gateways. You'll need to build yourself a custom kernel containing at
least these extra options compared to GENERIC:
options IPFIREWALL
options IPFIREWALL_FORWARD
See
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html
for kernel building instructions[*].
Lets suppose that your system is configured with three network cards
as follows:
I/F inet netmask gateway notes:
de0 192.168.0.1 /24 192.168.0.254 master
de1 192.168.1.1 /24 192.168.1.254 jail 1
de2 192.168.2.1 /24 192.168.2.254 jail 2
and the default route is:
% netstat -rn | grep default
default 192.168.0.254 UGSc 9 99999 de0
Then you need to have firewall rules equivalent to the following:
add fwd 192.168.1.254 ip from 192.168.1.1 to not 192.168.1.0/24 out via de1
add fwd 192.168.2.254 ip from 192.168.2.1 to not 192.168.2.0/24 out via de2
Some experimentation will undoubtedly be required to get everything
right for your setup, but that should give you the general idea. If
necessary, you can select by port number as well as source and
destination address.
Cheers,
Matthew
[*] Note that for recent 4-STABLE the
make buildkernel KERNCONF=MYKERNEL
"new" mechanism will work as part of a {build,install}world cycle, but
the "traditional" 'config MYKERNEL' mechanism possibly won't.
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Tel: +44 1628 476614 Marlow
Fax: +44 0870 0522645 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020817100928.GB16764>