Date: Mon, 20 Jul 2020 10:36:36 +0200 From: Alexander Leidinger <Alexander@leidinger.net> To: Ernie Luzar <luzar722@gmail.com> Cc: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org, David Mehler <dave.mehler@gmail.com> Subject: Re: vnet jail for local only or public access Message-ID: <20200720103636.Horde.zal5m0xvlYS4M6dDZMM12RE@webmail.leidinger.net> In-Reply-To: <5F120AB9.8060209@gmail.com> References: <CAPORhP5%2BQ8TX_DuwbdAfvqf97pX=SCRfgyOz%2BzvMqPdnJ2gmYA@mail.gmail.com> <5EFCD605.4000409@gmail.com> <CAPORhP7R26Y85-XjFXqKtAzr2A8RxHgK530CJzp8y73tcgjMDg@mail.gmail.com> <5EFD095F.4040507@gmail.com> <CAPORhP408Cmb2FG89VOpUJJZhGJ2KUG70%2B0pMnzyk3Xev4vi1Q@mail.gmail.com> <5F0119F3.40806@gmail.com> <CAPORhP7QpZ3=3iPfogcKsqf0gBtgLvOdbNLG9=-Hk=8XjNCrcA@mail.gmail.com> <5F049E65.8000701@gmail.com> <CAPORhP7q5s14qy7VcX0rSLbOimweh7aXZuqmPNzTSAchLOHe9w@mail.gmail.com> <5F0DEE4A.6080600@gmail.com> <CAPORhP74%2BVvsWQc-r7UX9pzuzOABxXeL3V1K7FEjJFDarMnyKQ@mail.gmail.com> <5F0F00EB.5010403@gmail.com> <CAPORhP4q6_vkxpPw3okKLmvsm9zPgUn6mDu1XT3x1U8q4uiuDw@mail.gmail.com> <5F0F0FBC.9020200@gmail.com> <CAPORhP77kh9VNR-ZP_1k_5vj-NM9dw1Vgxd3E_muVLNtiLsp6Q@mail.gmail.com> <5F0F152C.3040908@gmail.com> <CAPORhP4oNhA2vT5UG2OtV=JDbwcUCdXsXxzQXjZKSg1Fc6qe2Q@mail.gmail.com> <5F119D8F.7030407@gmail.com> <20200717152243.Horde.9H9QDqj9GtGFk_mayhRBsvs@webmail.leidinger.net> <5F120AB9.8060209@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed. --=_u71ko6QTGtJryN9zvcFgMoX Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting Ernie Luzar <luzar722@gmail.com> (from Fri, 17 Jul 2020=20=20 16:31:53=20-0400): > Alexander Leidinger wrote: >> Quoting Ernie Luzar <luzar722@gmail.com> (from Fri, 17 Jul 2020=20=20 >>=2008:46:07 -0400): >> >>> Trying to figure out how to configure a vnet jail so it is=20=20 >>>=20restricted to only being able to talk to other vnet jails on the=20= =20 >>>=20same host IE: local only vnet jails. As different to being able to=20= =20 >>>=20access the public internet type of vnet jails. >>> >>> Using the bridge/epair method of connecting vnet jails to the host. >>> [ based on this how-to ] >>> https://forums.freebsd.org/threads/vnet-jail-with-public-internet-acces= s-using-the-bridge-epair-method.76071/ It's my understanding that this beha= vior is controlled by if the hosts interface connected to the public intern= et is added as a member to the bridge the vnet jails epairXa interfaces wer= e members=20=20 >>>=20of. >> >> Partly correct. You can also have a setup where your host is=20=20 >>=20routing between what you call the public internet and the local=20=20 >>=20only vnets. >> >>> I tested this on a remote vm and found that it made no difference=20=20 >>>=20one way or the other if the hosts interface connected to the=20=20 >>>=20public internet was added as a member to the bridge or not. In=20=20 >>>=20both cases the vnet jail had public internet access. >> >> It shouldn't, if there is no routing involved. >> >> Please show us "ifconfig -a" and "netstat -rn" of the host. >> >> Bye, >> Alexander. >> > > root >netstat -rn4 > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > default 65.25.48.1 UGS re0 > 10.0.0.0/8 link#1 U em0 > 10.0.10.2 link#1 UHS lo0 > 10.0.20.0/24 link#5 U bridge10 You have a routing table entry for the bridge on the host. > 10.0.20.2 link#5 UHS lo0 > xxx.25.48.0/20 link#2 U re0 > xxx.25.51.0 link#2 UHS lo0 > 127.0.0.1 link#3 UH lo0 > /root > > /root >ifconfig -a > bridge10: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric=20= =20 >=200 mtu 1500 > description: qjail-vnet-jail-only-bridge > ether 02:3e:ba:a7:58:0a > inet 10.0.20.2 netmask 0xffffff00 broadcast 255.255.255.0 > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > member: epair4a flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> > ifmaxaddr 0 port 6 priority 128 path cost 2000 > groups: bridge > nd6 options=3D1<PERFORMNUD> Your bridge has an IP address. Both together: I suspect your host is routing between your jail and=20=20 the=20outside. If you remove the IP address from the bridge, you should have a=20=20 jails-on-the-bridge-only=20setup. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_u71ko6QTGtJryN9zvcFgMoX Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJfFVeUAAoJEBINsJsD+NiGOwcP/2sRlFimEr4u6QqAm3kDRzmw DylPgZAhV+IXXLWZ1VuQSfC1g4Dlu+SLjuaxqwDZfqby5NX68WEayHIlt9YC+OD5 XOGbC8QKIw4EneK0YVZ8hzw8Qe4552lNWunGqT7Q0KYzazKYigP6wdKL670zcmwB bp4AR0h8WlBjSHWFV5M5GnEJcbEDe8J2jumK++BBnpeU3JBttbKYMGYbLV9cTjBP RCFr1q6JuwZfqKprDwg+des5vf/pxGjAZh1IU7lRv10A9hcjs1ySpR1N6dNIxqrT g2kg2/Xrc0hQcAcbHEcbEfkbZ/JvhVLW2ZXBw2N8DGfWFSgVoExMhZGlOpG74y3l Irql4u7oUZS6EAaFCSGvu4gJXvUjJnj00qyW2VGfYaY63bfIh1jmMM58WG9xAmy7 ubKapwwtXHjJ8yk6DUPjFCLwClUwvXcJQbHPhiOThqTgDE0ss0H9UP7Far9iSnLL 8WXxxR2t+iLv3+3Gn1EBRArYQawirggAtp5iKzBQTr3goXYTi7R/Gi+ILoCKeyzH mxsrbWXI+vNOem7lOWkkINe4Cf0ObZXKXwAAaiQo/+mhdJ6KoCpFgfdtFAQXWIJT k8NXswvgZ222wFd+Q8VqkBmRN6bRaUjMFG3Xj4N4C7Cco1qFHffLS55Sv50kQvIB HrQPpmuZQ4Faoy4RMWAV =ePl0 -----END PGP SIGNATURE----- --=_u71ko6QTGtJryN9zvcFgMoX--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200720103636.Horde.zal5m0xvlYS4M6dDZMM12RE>