Date: Sat, 24 Mar 2007 13:50:50 -0500 From: "Rick Apichairuk" <rick@logicmerc.com> To: "'Matthew Seaman'" <m.seaman@infracaninophile.co.uk>, <freebsd-questions@freebsd.org> Subject: RE: another jail question Message-ID: <20070324185639.7C38A5C2B@www.logicmerc.com> In-Reply-To: <46057007.50306@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd- > questions@freebsd.org] On Behalf Of Matthew Seaman > Sent: Saturday, March 24, 2007 1:38 PM > To: Jonathan Horne > Cc: freebsd-questions@freebsd.org > Subject: Re: another jail question > > Jonathan Horne wrote: > > is there a way to configure a jail to use more than one ip address? > > in the same sense of configuring an alias ip for any other freebsd > > host? > > jail(8) only allows you one IP -- there are some patches around > which will let you create jails with more IPs, and even better > there's a clonable network stack under development -- meaning > each jail can have it's own firewall instance etc. etc. > > However none of that is really ready for prime time usage just > yet. In fact, that's all rather experimental at the moment and > suitable only for gurus to play with. > > There is an alternative. > > You can achieve something like what you want with a bit of > firewall trickery. Add an alias IP to the loopback interface -- > say 127.0.0.2 > > :# ifconfig lo0 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 > inet 127.0.0.2 netmask 0xffffffff > > Now create a jail using that IP. Something like this in > /etc/rc.conf is what you'll need, plus following the instructions > in jail(8) to create the filesystems in the jail: > > jail_enable="YES" > jail_list="j1" > jail_j1_hostname="j1.example.com" > jail_j1_interface="lo0" > jail_j1_mount_enable="YES" > jail_j1_fstab="/etc/fstab.jail.j1" > jail_j1_ip="127.0.0.2" > jail_j1_rootdir="/jail/j1.example.com" > > Fire up whatever services you want inside your jail -- within it, > you'll have to configure everything to bind to the jail IP > 127.0.0.2 specifically, but that's just the way things are in jails > even without this redirection trick. > > Now, configure the IPs on interfaces you want the outside world to > see as belonging to your jail -- for illustrative purposes I'll > choose 12.34.56.78 and 12.34.56.79 as example addresses to use for > the jail. Then use firewall NAT functionality to redirect traffic > into the jail. If you use pf (definitely recommended) then a > snippet like the following should be useful in /etc/pf.conf: > > jail_int="127.0.0.2" > jail_ext0="12.34.56.78" > jail_ext1="12.34.56.79" > > # Outward connections from within the jail > nat on $ext_if proto { tcp udp } \ > from $jail_int \ > to !$jail_int -> $jail_ext0 static-port > > # Incoming connections to the jail > rdr on $ext_if proto tcp \ > from any \ > to { $jail_ext0 $jail_ext1 } port { 25 80 } -> $jail_int > > If you want to run multiple HTTPS v-hosts from within the jail > you'll have to configure them to all run on distinct port numbers > within apache, and use something like this to generate the mapping: > > rdr on $ext_if proto tcp \ > from any \ > to $jail_ext0 port 443 -> $jail_int port 8443 > rdr on $ext_if proto tcp \ > from any \ > to $jail_ext1 port 443 -> $jail_int port 9443 > > This approach works pretty well for many protocols, but it does have > the basic limitation that you can tell a priori from within the jail > which external address the traffic went to. Either you've got to > determine the answer by looking at the traffic payload (eg. HTTP has > a header saying which v-host the request is for) or apply the sort of > port remapping shown above. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > Kent, CT11 9PW You have a very interesting work around to the problem. I am using jails as virtual servers and was wondering about the same thing myself. I will have to try this. Thanks for the idea. Rick Apichairuk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070324185639.7C38A5C2B>