From owner-freebsd-jail@FreeBSD.ORG Sun Jan 6 18:51:09 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A563A5AF for ; Sun, 6 Jan 2013 18:51:09 +0000 (UTC) (envelope-from zaphod@berentweb.com) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) by mx1.freebsd.org (Postfix) with ESMTP id 6771D12D5 for ; Sun, 6 Jan 2013 18:51:08 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1TrvJM-0002Ir-BC for freebsd-jail@freebsd.org; Sun, 06 Jan 2013 10:51:08 -0800 Date: Sun, 6 Jan 2013 10:51:08 -0800 (PST) From: Beeblebrox To: freebsd-jail@freebsd.org Message-ID: <1357498268340-5775221.post@n5.nabble.com> In-Reply-To: <50B27916.9010002@FreeBSD.org> References: <1352457514352-5759501.post@n5.nabble.com> <50A51022.5000801@FreeBSD.org> <1353228642821-5761961.post@n5.nabble.com> <1353836793676-5763946.post@n5.nabble.com> <50B27916.9010002@FreeBSD.org> Subject: Re: Recent jail problems [was: ICMP RAW socket error] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jan 2013 18:51:09 -0000 Hi - just to follow up, I thought that /etc/jail.conf functionality would be implemented by the time 9.1-STABLE had rolled around. Since settings in that file are still being ignored, can you advise an approximate time when the file will become functional? Without entries in /etc/rc.conf I get: Starting jails:/etc/rc.d/jail: ERROR: jail: No hostname has been defined for Thanks. -- View this message in context: http://freebsd.1045724.n5.nabble.com/ICMP-RAW-socket-error-tp5759501p5775221.html Sent from the freebsd-jail mailing list archive at Nabble.com. From owner-freebsd-jail@FreeBSD.ORG Mon Jan 7 04:01:57 2013 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 7F1A98F1; Mon, 7 Jan 2013 04:01:57 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 5A0967D4; Mon, 7 Jan 2013 04:01:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r0741v9N003589; Mon, 7 Jan 2013 04:01:57 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r0741vaP003585; Mon, 7 Jan 2013 04:01:57 GMT (envelope-from linimon) Date: Mon, 7 Jan 2013 04:01:57 GMT Message-Id: <201301070401.r0741vaP003585@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/174902: [jail] jail should provide validator for jail names X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2013 04:01:57 -0000 Old Synopsis: jail should provide validator for jail names New Synopsis: [jail] jail should provide validator for jail names Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Mon Jan 7 04:01:38 UTC 2013 Responsible-Changed-Why: reclassify. http://www.freebsd.org/cgi/query-pr.cgi?pr=174902 From owner-freebsd-jail@FreeBSD.ORG Mon Jan 7 09:50:48 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 84D22571 for ; Mon, 7 Jan 2013 09:50:48 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.97]) by mx1.freebsd.org (Postfix) with ESMTP id 1A311722 for ; Mon, 7 Jan 2013 09:50:47 +0000 (UTC) Received: from [78.35.173.201] (helo=fabiankeil.de) by smtprelay05.ispgateway.de with esmtpsa (SSLv3:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1Ts9LV-0001DV-KF; Mon, 07 Jan 2013 10:50:17 +0100 Date: Mon, 7 Jan 2013 10:47:08 +0100 From: Fabian Keil To: "other@ahhyes.net" Subject: Re: Easiest way to update jails from 9.0 to 9.1 Message-ID: <20130107104708.7be01c87@fabiankeil.de> In-Reply-To: References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/eOe.bHB4kN4qgDwTN1s=oLE"; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2013 09:50:48 -0000 --Sig_/eOe.bHB4kN4qgDwTN1s=oLE Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable "other@ahhyes.net" wrote: > I created the jails by hand individually using the steps given in > the FreeBSD handbook, can ezjail still be of use or am I going to > have to reinstall world for each jail? With ezjail you usually only use one "world" and nullfs mount it into the jails to safe space and share caching effects: fk@r500 ~ $mount | grep privoxy-jail tank/usr/jails/privoxy-jail on /usr/jails/privoxy-jail (zfs, local, noatime= , nfsv4acls) /usr/jails/basejail on /usr/jails/privoxy-jail/basejail (nullfs, local, rea= d-only) /home/fk/privoxy on /usr/jails/privoxy-jail/usr/local/etc/privoxy (nullfs, = local) /usr/jails/porttest/var/ports/packages on /usr/jails/privoxy-jail/var/ports= /packages (nullfs, local, read-only) devfs on /usr/jails/privoxy-jail/dev (devfs, local, multilabel) fdescfs on /usr/jails/privoxy-jail/dev/fd (fdescfs) procfs on /usr/jails/privoxy-jail/proc (procfs, local) There is also some integrated zfs support, but I haven't looked at it yet. I update the basejail with "ezjail-admin update -i" installing the same binaries I've previously build for the host system. Due to nullfs it only has to be done once no matter how many jails there are. I assume to properly make use of ezjail you would have to convert your jails, but this shouldn't be too much work and would only have to be done once. Of course it still makes sense to experiment with ezjail first to see if you like it. I haven't tried any of the alternatives but at least some people seem to prefer them. > How about mergemaster for jails (in dealing with updates to /etc ) I don't use mergemaster for jails. I just checked and in the privoxy-jail mentioned above, most files in /etc are from 2006 when I created that jail. I frequently run mergemaster on the system hosting the jails and if there were updates that would matter for the jails as well, I'd update them manually. I don't see the point of updating files in the jails that aren't used anyway. Fabian --Sig_/eOe.bHB4kN4qgDwTN1s=oLE Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlDqmaUACgkQBYqIVf93VJ0mwwCfSe/b6xzivewiBj38airLqCnN 0EwAn0zbznonK+UtLTryGIhig2qWwamn =YvQ8 -----END PGP SIGNATURE----- --Sig_/eOe.bHB4kN4qgDwTN1s=oLE-- From owner-freebsd-jail@FreeBSD.ORG Mon Jan 7 10:32:35 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9A158452 for ; Mon, 7 Jan 2013 10:32:35 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 58BF2BEA for ; Mon, 7 Jan 2013 10:32:35 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 1F4FD28429; Mon, 7 Jan 2013 11:32:28 +0100 (CET) Received: from [192.168.1.2] (unknown [89.177.49.69]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 199FB28428; Mon, 7 Jan 2013 11:32:27 +0100 (CET) Message-ID: <50EAA439.7060606@quip.cz> Date: Mon, 07 Jan 2013 11:32:25 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Fabian Keil Subject: Re: Easiest way to update jails from 9.0 to 9.1 References: <20130107104708.7be01c87@fabiankeil.de> In-Reply-To: <20130107104708.7be01c87@fabiankeil.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2013 10:32:35 -0000 Fabian Keil wrote: >> How about mergemaster for jails (in dealing with updates to /etc ) > I don't use mergemaster for jails. I just checked and in the > privoxy-jail mentioned above, most files in /etc are from 2006 > when I created that jail. > > I frequently run mergemaster on the system hosting the jails and > if there were updates that would matter for the jails as well, > I'd update them manually. I don't see the point of updating files > in the jails that aren't used anyway. They are used. There are frequently changes in /etc/rc.d files. I don't use ezjail and I use mergemaster after every jail upgrade in each jail, it always found some changes. Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Mon Jan 7 11:06:48 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 32D956F for ; Mon, 7 Jan 2013 11:06:48 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 24E86F93 for ; Mon, 7 Jan 2013 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r07B6mpj087913 for ; Mon, 7 Jan 2013 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r07B6lwG087911 for freebsd-jail@FreeBSD.org; Mon, 7 Jan 2013 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Jan 2013 11:06:47 GMT Message-Id: <201301071106.r07B6lwG087911@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2013 11:06:48 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/174902 jail [jail] jail should provide validator for jail names o kern/174436 jail [jail] Jails with numbers as names don't work o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 15 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Jan 7 11:36:19 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D01E2234 for ; Mon, 7 Jan 2013 11:36:19 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.18.14]) by mx1.freebsd.org (Postfix) with ESMTP id 782832AB for ; Mon, 7 Jan 2013 11:36:19 +0000 (UTC) Received: from [78.35.173.201] (helo=fabiankeil.de) by smtprelay02.ispgateway.de with esmtpsa (SSLv3:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1TsApe-0000Dg-Pq; Mon, 07 Jan 2013 12:25:30 +0100 Date: Mon, 7 Jan 2013 12:25:04 +0100 From: Fabian Keil To: Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: Easiest way to update jails from 9.0 to 9.1 Message-ID: <20130107122504.26950510@fabiankeil.de> In-Reply-To: <50EAA439.7060606@quip.cz> References: <20130107104708.7be01c87@fabiankeil.de> <50EAA439.7060606@quip.cz> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/DSYUZmHx5v1R+5hIIypMOl."; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2013 11:36:19 -0000 --Sig_/DSYUZmHx5v1R+5hIIypMOl. Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Miroslav Lachman <000.fbsd@quip.cz> wrote: > Fabian Keil wrote: > >> How about mergemaster for jails (in dealing with updates to /etc ) > > I don't use mergemaster for jails. I just checked and in the > > privoxy-jail mentioned above, most files in /etc are from 2006 > > when I created that jail. > > > > I frequently run mergemaster on the system hosting the jails and > > if there were updates that would matter for the jails as well, > > I'd update them manually. I don't see the point of updating files > > in the jails that aren't used anyway. >=20 > They are used. There are frequently changes in /etc/rc.d files. I don't=20 > use ezjail and I use mergemaster after every jail upgrade in each jail,=20 > it always found some changes. To clarify: In my jails the /etc/rc.d files are mostly "used" to not start services and the old ones can do that as good as the new ones. I'm not saying that frequently updating /etc files in jails is useless in general. On systems I use mergemaster I mainly upgrade most files because it reduces the noise the next time I run mergemaster, not because I think the changes are needed. As I don't run mergemaster in the jails reducing the noise doesn't matter and a lot of the changes that affect my host systems don't affect the jails. Fabian --Sig_/DSYUZmHx5v1R+5hIIypMOl. Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlDqsKkACgkQBYqIVf93VJ3AyACeKw+J1MdzCXtWuxRcTB80iog1 7vMAoL9+Qt2OQvm4JT8sJgz9ThfEAWjo =RMq+ -----END PGP SIGNATURE----- --Sig_/DSYUZmHx5v1R+5hIIypMOl.-- From owner-freebsd-jail@FreeBSD.ORG Tue Jan 8 20:14:06 2013 Return-Path: Delivered-To: jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 078ACF83 for ; Tue, 8 Jan 2013 20:14:06 +0000 (UTC) (envelope-from freebsd@vfemail.net) Received: from vfemail.net (nine.vfemail.net [108.76.175.9]) by mx1.freebsd.org (Postfix) with ESMTP id 95FEB916 for ; Tue, 8 Jan 2013 20:14:05 +0000 (UTC) Received: (qmail 5355 invoked by uid 89); 8 Jan 2013 20:07:22 -0000 Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1) by localhost with SMTP; 8 Jan 2013 20:07:22 -0000 Received: (qmail 5345 invoked by uid 89); 8 Jan 2013 20:07:05 -0000 Received: by simscan 1.3.1 ppid: 5343, pid: 5344, t: 0.0008s scanners:none Received: from unknown (HELO www-51-2.vfemail.net) (vfemail@172.16.100.51) by FreeQueue with SMTP; 8 Jan 2013 20:07:05 -0000 Received: (qmail 58599 invoked by uid 89); 8 Jan 2013 20:07:07 -0000 Received: by simscan 1.4.0 ppid: 58592, pid: 58595, t: 0.3598s scanners: clamav: 0.95.2/m:51/d:9604 Received: from unknown (HELO testbox.fbsd.net) (ZnJlZWJzZEB2ZmVtYWlsLm5ldA==@86.28.251.249) by mail.vfemail.net with ESMTPA; 8 Jan 2013 20:07:06 -0000 Message-ID: <50EC7C67.2000606@vfemail.net> Date: Tue, 08 Jan 2013 20:07:03 +0000 From: Free BSD User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: jail@freebsd.org Subject: routing issue with Jail hosts :: suggestion requested Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2013 20:14:06 -0000 Dear List Members I have a scenario where I have an unusual routing need. This is one server with two (or more) interfaces. One of the interface is connected to a public IP network, the other one is connected to the LAN. This box is NOT a gateway machine, just a box serving on two sides of the network. Network diagram below: Interface em1 Public IP Network Connected to Gateway a.b.c.1 <---+ | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ | @ @ +----------------+----------------+ @ @ | | @ @ +-----------+------------+ +-----------+------------+ @ @ | Jail 01 | | Jail 02 | @ @ | Public IP a.b.c.4 | | Public IP a.b.c.5 | @ @ | Gateway a.b.c.1 | | Gateway a.b.c.1 | @ @ +------------------------+ +------------------------+ @ @ @ @ @ @ @ @ +------------------------+ +------------------------+ @ @ | Jail 03 | | Jail 04 | @ @ | Private IP x.y.z.101 | | Private IP x.y.z.102 | @ @ | Gateway x.y.z.1 | | Gateway x.y.z.1 | @ @ +-----------+------------+ +-----------+------------+ @ @ | | @ @ +----------------+----------------+ @ @ | @ @ Main Host Server | @ @ Private IP x.y.z.100 | @ @ GW x.y.z.1 | @ @ | @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | Interface em0 | Local Area Network/Privae IP | Connected to GW x.y.z.1 <-------+ Now, the problem is, the jails 03 and 04 needs to use the default route for the LAN, since the main firewall on the network does a NAT to these jails. At the same time, the jails 01 and 02 need to use the default route for the public Network, since there are port mappings on them. I will use pf for firewalling, so only certain traffic from certain direction is available. But some traffic are common and could be from any source (i.e., http/S, smtp/S). So, there is http running in jail 01 and jail 03 (two different servers entirely, serving different sites), or smtp/S on jail 02, which too could be from anywhere. Given that /by default/ all jails uses the defaultroute of the host system, I am looking into possible work-around/solution and would appreciate your feedback on this matter. If there were any discussion in the similar line, google failed to yield that to me (had been looking for them for the last two days, but most are dealing with using ipfw and NAT on the same interface -- I am connecting different interface to different network, and would prefer that isolation). If anyone is aware of any such discussion, would appreciate links/pointers to that too. Thanks all. ------------------------------------------------- VFEmail.net - http://www.vfemail.net $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! From owner-freebsd-jail@FreeBSD.ORG Tue Jan 8 20:39:48 2013 Return-Path: Delivered-To: jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 37C52469 for ; Tue, 8 Jan 2013 20:39:48 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id EB022A01 for ; Tue, 8 Jan 2013 20:39:47 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.15]) by ltcfislmsgpa06.fnfis.com (8.14.5/8.14.5) with ESMTP id r08Kdkfu021245 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 8 Jan 2013 14:39:46 -0600 Received: from [10.0.0.102] (10.14.152.61) by smtp.fisglobal.com (10.132.206.15) with Microsoft SMTP Server (TLS) id 14.2.309.2; Tue, 8 Jan 2013 14:39:45 -0600 Subject: Re: routing issue with Jail hosts :: suggestion requested MIME-Version: 1.0 (Apple Message framework v1283) From: Devin Teske In-Reply-To: <50EC7C67.2000606@vfemail.net> Date: Tue, 8 Jan 2013 12:39:44 -0800 Message-ID: <37A72843-9412-475E-AFE8-1759CAB44410@fisglobal.com> References: <50EC7C67.2000606@vfemail.net> To: Free BSD X-Mailer: Apple Mail (2.1283) X-Originating-IP: [10.14.152.61] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.9.8327, 1.0.431, 0.0.0000 definitions=2013-01-08_07:2013-01-08,2013-01-08,1970-01-01 signatures=0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Devin Teske List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2013 20:39:48 -0000 Maybe giving each of the jails their own networking stack would help? Do you know about VIMAGE? I have a boot script that makes it easy to test out this new/experimental (= yet very stable) feature: http://druidbsd.sf.net/vimage.shtml --=20 Devin On Jan 8, 2013, at 12:07 PM, Free BSD wrote: > Dear List Members >=20 > I have a scenario where I have an unusual routing need. This is one serve= r with two (or more) interfaces. One of the interface is connected to a pub= lic IP network, the other one is connected to the LAN. This box is NOT a ga= teway machine, just a box serving on two sides of the network. Network diag= ram below: >=20 > Interface em1 > Public IP Network > Connected to Gateway a.b.c.1 <---+ > | > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ | @ > @ +----------------+----------------+ @ > @ | | @ > @ +-----------+------------+ +-----------+------------+ @ > @ | Jail 01 | | Jail 02 | @ > @ | Public IP a.b.c.4 | | Public IP a.b.c.5 | @ > @ | Gateway a.b.c.1 | | Gateway a.b.c.1 | @ > @ +------------------------+ +------------------------+ @ > @ @ > @ @ > @ @ > @ +------------------------+ +------------------------+ @ > @ | Jail 03 | | Jail 04 | @ > @ | Private IP x.y.z.101 | | Private IP x.y.z.102 | @ > @ | Gateway x.y.z.1 | | Gateway x.y.z.1 | @ > @ +-----------+------------+ +-----------+------------+ @ > @ | | @ > @ +----------------+----------------+ @ > @ | @ > @ Main Host Server | @ > @ Private IP x.y.z.100 | @ > @ GW x.y.z.1 | @ > @ | @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > | > Interface em0 | > Local Area Network/Privae IP | > Connected to GW x.y.z.1 <-------+ >=20 >=20 > Now, the problem is, the jails 03 and 04 needs to use the default route f= or the LAN, since the main firewall on the network does a NAT to these jail= s. At the same time, the jails 01 and 02 need to use the default route for = the public Network, since there are port mappings on them. I will use pf fo= r firewalling, so only certain traffic from certain direction is available.= But some traffic are common and could be from any source (i.e., http/S, sm= tp/S). So, there is http running in jail 01 and jail 03 (two different serv= ers entirely, serving different sites), or smtp/S on jail 02, which too cou= ld be from anywhere. >=20 > Given that /by default/ all jails uses the defaultroute of the host syste= m, I am looking into possible work-around/solution and would appreciate you= r feedback on this matter. If there were any discussion in the similar line= , google failed to yield that to me (had been looking for them for the last= two days, but most are dealing with using ipfw and NAT on the same interfa= ce -- I am connecting different interface to different network, and would p= refer that isolation). If anyone is aware of any such discussion, would app= reciate links/pointers to that too. >=20 > Thanks all. >=20 >=20 >=20 >=20 > ------------------------------------------------- >=20 > VFEmail.net - http://www.vfemail.net > $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No ba= ndwidth quotas! > Commercial and Bulk Mail Options! ______________________________________= _________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you. From owner-freebsd-jail@FreeBSD.ORG Tue Jan 8 23:41:18 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 3B1E84C1 for ; Tue, 8 Jan 2013 23:41:18 +0000 (UTC) (envelope-from freebsd@psconsult.nl) Received: from mx1.psconsult.nl (unknown [IPv6:2001:7b8:30f:e0::5059:ee8a]) by mx1.freebsd.org (Postfix) with ESMTP id 98C17339 for ; Tue, 8 Jan 2013 23:41:17 +0000 (UTC) Received: from mx1.psconsult.nl (mx1.hvnu.psconsult.nl [46.44.189.154]) by mx1.psconsult.nl (8.14.5/8.14.4) with ESMTP id r08NfA8S053687 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 9 Jan 2013 00:41:15 +0100 (CET) (envelope-from freebsd@psconsult.nl) Received: (from paul@localhost) by mx1.psconsult.nl (8.14.5/8.14.4/Submit) id r08NfAqM053686 for freebsd-jail@freebsd.org; Wed, 9 Jan 2013 00:41:10 +0100 (CET) (envelope-from freebsd@psconsult.nl) X-Authentication-Warning: mx1.psconsult.nl: paul set sender to freebsd@psconsult.nl using -f Date: Wed, 9 Jan 2013 00:41:10 +0100 From: Paul Schenkeveld To: freebsd-jail@freebsd.org Subject: Re: routing issue with Jail hosts :: suggestion requested Message-ID: <20130108234110.GA53569@psconsult.nl> References: <50EC7C67.2000606@vfemail.net> <37A72843-9412-475E-AFE8-1759CAB44410@fisglobal.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <37A72843-9412-475E-AFE8-1759CAB44410@fisglobal.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2013 23:41:18 -0000 On Tue, Jan 08, 2013 at 12:39:44PM -0800, Devin Teske wrote: > Maybe giving each of the jails their own networking stack would help? > > Do you know about VIMAGE? > > I have a boot script that makes it easy to test out this new/experimental (yet very stable) feature: > > http://druidbsd.sf.net/vimage.shtml VIMAGE (vnet option of jails) can do this but may be a bit overkill. Creating two routing tables and use jail__fib in rc.conf to assing each jail to a certain routing table should be enough to do the trick. > -- > Devin > > On Jan 8, 2013, at 12:07 PM, Free BSD wrote: > > > Dear List Members > > > > I have a scenario where I have an unusual routing need. This is one server with two (or more) interfaces. One of the interface is connected to a public IP network, the other one is connected to the LAN. This box is NOT a gateway machine, just a box serving on two sides of the network. Network diagram below: > > > > Interface em1 > > Public IP Network > > Connected to Gateway a.b.c.1 <---+ > > | > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > @ | @ > > @ +----------------+----------------+ @ > > @ | | @ > > @ +-----------+------------+ +-----------+------------+ @ > > @ | Jail 01 | | Jail 02 | @ > > @ | Public IP a.b.c.4 | | Public IP a.b.c.5 | @ > > @ | Gateway a.b.c.1 | | Gateway a.b.c.1 | @ > > @ +------------------------+ +------------------------+ @ > > @ @ > > @ @ > > @ @ > > @ +------------------------+ +------------------------+ @ > > @ | Jail 03 | | Jail 04 | @ > > @ | Private IP x.y.z.101 | | Private IP x.y.z.102 | @ > > @ | Gateway x.y.z.1 | | Gateway x.y.z.1 | @ > > @ +-----------+------------+ +-----------+------------+ @ > > @ | | @ > > @ +----------------+----------------+ @ > > @ | @ > > @ Main Host Server | @ > > @ Private IP x.y.z.100 | @ > > @ GW x.y.z.1 | @ > > @ | @ > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > | > > Interface em0 | > > Local Area Network/Privae IP | > > Connected to GW x.y.z.1 <-------+ > > > > > > Now, the problem is, the jails 03 and 04 needs to use the default route for the LAN, since the main firewall on the network does a NAT to these jails. At the same time, the jails 01 and 02 need to use the default route for the public Network, since there are port mappings on them. I will use pf for firewalling, so only certain traffic from certain direction is available. But some traffic are common and could be from any source (i.e., http/S, smtp/S). So, there is http running in jail 01 and jail 03 (two different servers entirely, serving different sites), or smtp/S on jail 02, which too could be from anywhere. > > > > Given that /by default/ all jails uses the defaultroute of the host system, I am looking into possible work-around/solution and would appreciate your feedback on this matter. If there were any discussion in the similar line, google failed to yield that to me (had been looking for them for the last two days, but most are dealing with using ipfw and NAT on the same interface -- I am connecting different interface to different network, and would prefer that isolation). If anyone is aware of any such discussion, would appreciate links/pointers to that too. > > > > Thanks all. > > > > > > > > > > ------------------------------------------------- > > > > VFEmail.net - http://www.vfemail.net > > $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! > > Commercial and Bulk Mail Options! _______________________________________________ > > freebsd-jail@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > _____________ > The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From owner-freebsd-jail@FreeBSD.ORG Wed Jan 9 19:46:01 2013 Return-Path: Delivered-To: jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 893438F4 for ; Wed, 9 Jan 2013 19:46:01 +0000 (UTC) (envelope-from freebsd@vfemail.net) Received: from vfemail.net (nine.vfemail.net [108.76.175.9]) by mx1.freebsd.org (Postfix) with ESMTP id CCF4A90F for ; Wed, 9 Jan 2013 19:46:00 +0000 (UTC) Received: (qmail 63039 invoked by uid 89); 9 Jan 2013 19:45:57 -0000 Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1) by localhost with SMTP; 9 Jan 2013 19:45:57 -0000 Received: (qmail 63023 invoked by uid 89); 9 Jan 2013 19:45:40 -0000 Received: by simscan 1.3.1 ppid: 63019, pid: 63021, t: 0.0996s scanners:none Received: from unknown (HELO www-52-2.vfemail.net) (vfemail@172.16.100.52) by FreeQueue with SMTP; 9 Jan 2013 19:45:40 -0000 Received: (qmail 43369 invoked by uid 89); 9 Jan 2013 19:45:41 -0000 Received: by simscan 1.4.0 ppid: 43358, pid: 43366, t: 0.1729s scanners: clamav: 0.95.2/m:51/d:9604 Received: from unknown (HELO testbox.fbsd.net) (ZnJlZWJzZEB2ZmVtYWlsLm5ldA==@86.28.251.249) by mail.vfemail.net with ESMTPA; 9 Jan 2013 19:45:41 -0000 Message-ID: <50EDC8E2.2080806@vfemail.net> Date: Wed, 09 Jan 2013 19:45:38 +0000 From: Free BSD User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: jail@freebsd.org Subject: Re: routing issue with Jail hosts :: suggestion requested References: <50EC7C67.2000606@vfemail.net> <37A72843-9412-475E-AFE8-1759CAB44410@fisglobal.com> In-Reply-To: <37A72843-9412-475E-AFE8-1759CAB44410@fisglobal.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Devin Teske X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jan 2013 19:46:01 -0000 On 08/01/2013 20:39, Devin Teske wrote: > Maybe giving each of the jails their own networking stack would help? > > Do you know about VIMAGE? > > I have a boot script that makes it easy to test out this > new/experimental (yet very stable) feature: > > http://druidbsd.sf.net/vimage.shtml > > -- > Devin > Thanks Devin, didn't know about VIMAGE. Interestingly none of my google search brought that up either. Glad you pointed to it. I am looking at it now and it looks promising, maybe that will be the way I'll try (even if it does not work, it will be an educational cycle :D). Thanks again. ------------------------------------------------- VFEmail.net - http://www.vfemail.net $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!