Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Oct 2011 08:30:45 -0600
From:      "Peter" <fbsdq@peterk.org>
To:        "carlopmart" <carlopmart@gmail.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Some questions about jails on FreeBSD9.0-RC1
Message-ID:  <fd8a791c7e9d7cb1a4c68d286bc32f4e.squirrel@pop.pknet.net>
In-Reply-To: <4EA7BC66.3090304@gmail.com>
References:  <4EA721A7.8050905@gmail.com> <20111026031202.2a8780f9@davenulle.org> <4EA7BC66.3090304@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
> On 10/26/2011 03:12 AM, Patrick Lamaiziere wrote:
>> Le Tue, 25 Oct 2011 22:52:55 +0200,
>> carlopmart<carlopmart@gmail.com>  a écrit :
>>
>> Hello,
>>
>>>    I have installed one FreeBSD 9.0-RC1 host to run different services
>>> (dns, smtp and www only) using jails. This host has two physical
>>> nics: em0 and em1. em0 is assigned to pyhiscal host, and I would like
>>> to assign em1 to jails. But em0 and em1 are on different networks:
>>> em0 is on 192.168.1.0/24 and em1 in 192.168.2.0/29.
>>>
>>>    I have setup one jail using ezjail. My first surprise is that
>>> ezjail only installs -RELEASE versions and not RC versions. Ok, I
>>> supouse that it is normal. But my first question is: can I install a
>>> FreeBSD 8.2 jail under a FreeBSD 9.0 host??
>>
>> You may run 8.2 installed ports on 9.0 by using the port
>> /usr/ports/misc/compat8x/
>>
>> But I suggest to upgrade the port ASAP.
>>
>>>    And the real question: How do I need to configure network under
>>> this jail to access it? I have configured ifconfig param for em1 on
>>> host's rc.conf, but what about the default route under this jail?? I
>>> thought to use pf rules, but I am not sure.
>>
>> jail enforces the use of the jail IP address in the jail, but that's
>> all. Just enable routing on the host.
>>
>
> But, that is not possible. Between host and jail exists a firewall ... I
> can't do simple routing with the host. Maybe a posible solution is to
> use policy source routing ??
>
>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
> _______________________________________________


I'm using FIBs.  The host is in on a private network with gateway of
192.168.1.1 and jails are on public network with their own real/public
gateway.

FIBs work without the box becoming a gateway:
%grep gateway /etc/rc.conf
gateway_enable="NO"

I have this in system startup to setup "public gateway" for jails:
%cat /usr/local/etc/rc.d/0.setfib.sh
#!/bin/sh
echo setfib 1 for public jails
/usr/sbin/setfib 1 /sbin/route add default 216.241.167.1

 and in /usr/local/etc/ezjail/myjail I added this line to the end of configs:
export jail_myjail_fib="1"

[/usr/sbin/jail has FIB support built in, but at that time ezjail did not,
so I had to manually add it in the config - nowadays I believe ezjail has
FIB support natively, but the resulting config file is the same]

The host is using NAT to get out via private IP, and jails are available
via public IP.  All the IPs are defined in rc.conf the normal _alias way.

FIB support as I remember needs a custom kernel - not sure about 9, this
is in 8.2.


I even run openbsd spamd on the host and using FIBs to start the spamd
daemon via a 'setfib 1' wrapper script:

%cat /usr/local/etc/rc.d/obspamdfib.sh
#!/bin/sh
#
# this just calls the orignal file, but with setfib 1

/usr/sbin/setfib 1 /usr/local/etc/rc.d.fib/obspamd $1

I had moved the 'obspamd' startup script to rc.d.fib just so a 'setfib 1'
wrapper is called.

]Peter[
 FIBs are awesome when you don't have many public IPs and when host is
_only_ a jail host running no services




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fd8a791c7e9d7cb1a4c68d286bc32f4e.squirrel>