From owner-freebsd-questions@FreeBSD.ORG Wed Aug 7 11:43:43 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 446A3237 for ; Wed, 7 Aug 2013 11:43:43 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from blue.qeng-ho.org (blue.qeng-ho.org [217.155.128.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D26DE24F7 for ; Wed, 7 Aug 2013 11:43:42 +0000 (UTC) Received: from fileserver.home.qeng-ho.org (localhost [127.0.0.1]) by fileserver.home.qeng-ho.org (8.14.5/8.14.5) with ESMTP id r77BNi7u043086; Wed, 7 Aug 2013 12:23:45 +0100 (BST) (envelope-from freebsd@qeng-ho.org) Message-ID: <52022E40.8050007@qeng-ho.org> Date: Wed, 07 Aug 2013 12:23:44 +0100 From: Arthur Chance User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130710 Thunderbird/17.0.7 MIME-Version: 1.0 To: Karl Pielorz Subject: Re: Static Jail ID's (JID's) for use with IPFW? References: <6AEEAD32A5BF3013464C98A1@Mail-PC.tdx.co.uk> In-Reply-To: <6AEEAD32A5BF3013464C98A1@Mail-PC.tdx.co.uk> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Aug 2013 11:43:43 -0000 On 07/08/2013 09:28, Karl Pielorz wrote: > I have a number of jailed systems running - and I've been setting up > ipfw rules for them. > > This is on FBSD 9.1. > > 'ipfw' lets you match on traffic to/from a Jail ID (JID) - however every > time jails get started / stopped their JID changes [thus breaking the > firewall rules]. > > I can't see anywhere to 'statically' configure a JID to a Jail (i.e. in > /etc/rc.conf). I don't think the old /etc/rc.conf way of handling jails lets you do it, but the latest version of jail(8) introduced /etc/jail.conf and you should be able to add "jid = ;" parameters in there. I've no idea what will happen if your choice conflicts with an automatically generated jid, so you'll either have to make sure all jails have fixed jids, or choose a suitably high range for fixed ones and hope you never generate too many unfixed jids. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_