From owner-freebsd-questions@FreeBSD.ORG Sat Mar 24 18:50:51 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 75AD816A405 for ; Sat, 24 Mar 2007 18:50:51 +0000 (UTC) (envelope-from rick@logicmerc.com) Received: from www.logicmerc.com (logicmerc.com [69.65.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id DDC4A13C4B0 for ; Sat, 24 Mar 2007 18:50:50 +0000 (UTC) (envelope-from rick@logicmerc.com) Received: from localhost (unknown [127.0.0.1]) by www.logicmerc.com (Postfix) with ESMTP id 4B17D5C30; Sat, 24 Mar 2007 12:56:40 -0600 (CST) Received: from www.logicmerc.com ([127.0.0.1]) by localhost (www.logicmerc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 33273-05; Sat, 24 Mar 2007 12:56:39 -0600 (CST) Received: from TRACKMAGIC (c-67-167-124-9.hsd1.il.comcast.net [67.167.124.9]) by www.logicmerc.com (Postfix) with ESMTP id 7C38A5C2B; Sat, 24 Mar 2007 12:56:39 -0600 (CST) From: "Rick Apichairuk" To: "'Matthew Seaman'" , Date: Sat, 24 Mar 2007 13:50:50 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <46057007.50306@infracaninophile.co.uk> Thread-Index: AcduRRBhIGwuCDkiSMyJAo2FrOdXdQAAB4Xw X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Message-Id: <20070324185639.7C38A5C2B@www.logicmerc.com> X-Virus-Scanned: amavisd-new at logicmerc.com Cc: Subject: RE: another jail question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2007 18:50:51 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd- > questions@freebsd.org] On Behalf Of Matthew Seaman > Sent: Saturday, March 24, 2007 1:38 PM > To: Jonathan Horne > Cc: freebsd-questions@freebsd.org > Subject: Re: another jail question > > Jonathan Horne wrote: > > is there a way to configure a jail to use more than one ip address? > > in the same sense of configuring an alias ip for any other freebsd > > host? > > jail(8) only allows you one IP -- there are some patches around > which will let you create jails with more IPs, and even better > there's a clonable network stack under development -- meaning > each jail can have it's own firewall instance etc. etc. > > However none of that is really ready for prime time usage just > yet. In fact, that's all rather experimental at the moment and > suitable only for gurus to play with. > > There is an alternative. > > You can achieve something like what you want with a bit of > firewall trickery. Add an alias IP to the loopback interface -- > say 127.0.0.2 > > :# ifconfig lo0 > lo0: flags=8049 mtu 16384 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 > inet 127.0.0.2 netmask 0xffffffff > > Now create a jail using that IP. Something like this in > /etc/rc.conf is what you'll need, plus following the instructions > in jail(8) to create the filesystems in the jail: > > jail_enable="YES" > jail_list="j1" > jail_j1_hostname="j1.example.com" > jail_j1_interface="lo0" > jail_j1_mount_enable="YES" > jail_j1_fstab="/etc/fstab.jail.j1" > jail_j1_ip="127.0.0.2" > jail_j1_rootdir="/jail/j1.example.com" > > Fire up whatever services you want inside your jail -- within it, > you'll have to configure everything to bind to the jail IP > 127.0.0.2 specifically, but that's just the way things are in jails > even without this redirection trick. > > Now, configure the IPs on interfaces you want the outside world to > see as belonging to your jail -- for illustrative purposes I'll > choose 12.34.56.78 and 12.34.56.79 as example addresses to use for > the jail. Then use firewall NAT functionality to redirect traffic > into the jail. If you use pf (definitely recommended) then a > snippet like the following should be useful in /etc/pf.conf: > > jail_int="127.0.0.2" > jail_ext0="12.34.56.78" > jail_ext1="12.34.56.79" > > # Outward connections from within the jail > nat on $ext_if proto { tcp udp } \ > from $jail_int \ > to !$jail_int -> $jail_ext0 static-port > > # Incoming connections to the jail > rdr on $ext_if proto tcp \ > from any \ > to { $jail_ext0 $jail_ext1 } port { 25 80 } -> $jail_int > > If you want to run multiple HTTPS v-hosts from within the jail > you'll have to configure them to all run on distinct port numbers > within apache, and use something like this to generate the mapping: > > rdr on $ext_if proto tcp \ > from any \ > to $jail_ext0 port 443 -> $jail_int port 8443 > rdr on $ext_if proto tcp \ > from any \ > to $jail_ext1 port 443 -> $jail_int port 9443 > > This approach works pretty well for many protocols, but it does have > the basic limitation that you can tell a priori from within the jail > which external address the traffic went to. Either you've got to > determine the answer by looking at the traffic payload (eg. HTTP has > a header saying which v-host the request is for) or apply the sort of > port remapping shown above. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > Kent, CT11 9PW You have a very interesting work around to the problem. I am using jails as virtual servers and was wondering about the same thing myself. I will have to try this. Thanks for the idea. Rick Apichairuk