Date: Tue, 31 May 2005 00:14:39 +0200 From: Emanuel Strobl <Emanuel.strobl@gmx.net> To: freebsd-current@freebsd.org Subject: different default gateway for jails planed/possible? Message-ID: <200505310014.50780@harrymail>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Dear all, will it be possible to define a different default gateway for a jail? Imagine a system with two interfaces, one for the host on a local GbE Switch (with NFS service) and the other one connected to a different DMZ-Switch which should serve different jails. Now the DMZ is useless since anybody who broke into one jail can reach all hosts on the "host" interface without having the possibillity to restrict traffic on the router since the packets go straight to the GbE interface. This is a big security disadvantage and if I block these packets I can't any longer connect from machines inside the GbE network to the jails in the DMZ. The request will be routed but answers go down the "host" interface, instead to the DMZ router interface. Even a different default gateway wouldn't help in this case, the kernel had to "keep in mind" that packets from a jail mustn't be forwarded through any jail-foreign interface. Also the usual routing table had to be overwritten since packets from a jail should go over the router to the GbE network (although there is a well known route, the interface which has the GbE net configured). But at least packets from a jail should be limited that they can't pass any other interface(s) than the one(s) which belong to the particular jail. I think PFs route-to next-hop rule would be a workarround for my problem but I'm not too happy to have PF on a GbE Fileserver. Another jail question: Is it possible to limit resources on jail-basis? Like resource restrictions for useres in login.conf only for whole jails. Thanks a lot, -Harry [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCm5BaBylq0S4AzzwRAoMKAJ91tHCTC4PKsbx5zZtgwV1vn/dmqgCgjAH0 Yd256PCXo1sMAIg3tO/w0uQ= =34Vh -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505310014.50780>