Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 7 May 2006 13:15:42 -0700 (PDT)
From:      Bigby Findrake <>
To:        "" <>
Subject:   RE: Jails and loopback interfaces
Message-ID:  <>
In-Reply-To: <000001c66f7f$b148b620$01010101@avalon.lan>
References:  <000001c66f7f$b148b620$01010101@avalon.lan>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Thu, 4 May 2006, wrote:

>> I recently did something like this.  I have a webserver in a jail that
>> needs to talk to a database, and the webserver is the only thing that
>> should talk to the databse.
>> My solution was to use 2 jails: one for the webserver, and another for the
>> database.
>> Jail 1:
>>  	* runs webserver
>>  	* binds to real interface with real, routable IP
>> Jail 2:
>> 	* runs database server
>> 	* binds to loopback interface, isn't directly reachable
>> 	  from outside the box
> just to clarify that for me: you did setup this layout or you
> tried to setup this? as i read it, i understand that you did!

I did set it up.  My scenario is up and functioning in production.

> i tried exactly the same but currently jails are bound to the specific
> ip-address assigned with them so i wonder, how the webserver on a real
> ip-address can communicate with the database bound to the loopback ip?
> if you could kindly tell, how you solved this issue (we're using 6.1).

Packets leaving a jail are not limited to leaving the host machine on the 
same interface that the jail is bound to.  The jail is limited to sending 
packets from, and receiving packets to the IP address that its bound to, 
but those packets can go out, or come in, any interface on the host 
machine.  You don't need to do any special routing or firewall or NAT or 
anything to get a jail to be able to talk to the host.

Psychiatrists say that one out of four people are mentally ill.  Check
three friends.  If they're OK, you're it.


Want to link to this message? Use this URL: <>