Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Oct 2010 21:57:55 +0100
From:      "Matthew Law" <matt@webcontracts.co.uk>
To:        "Ivan Voras" <ivoras@freebsd.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Jail question
Message-ID:  <903641d568b60e1b082b793cf1134f7d.squirrel@www.webcontracts.co.uk>
In-Reply-To: <i99mer$r7a$1@dough.gmane.org>
References:  <a326819258145be7f52702ca68402e23.squirrel@www.webcontracts.co.uk> <i99mer$r7a$1@dough.gmane.org>

next in thread | previous in thread | raw e-mail | index | archive | help

On Fri, October 15, 2010 2:54 pm, Ivan Voras wrote:
> Since jails can do many things there are many "helper" utilities that
> can do much to simplify the process. If you can hack python, you can,
> for example, modify my script at
> http://ivoras.sharanet.org/stuff/mkjails.py which I've used to create a
> thousand very light-weight jails which are started and managed using
> only standard FreeBSD tools.
>
> In any case, read rc.conf(5) man page for the jail_* settings.

snip

> This is the more complex question; I think that everything which needs
> direct access to the NIC (i.e. BPF, DHCP, IPFW, etc.) will need to be
> run on the host system. TCP services will work inside jails without
> problems, but with jails it's almost the same as if they were on another
> system. If you do use NAT you will have to configure it on the host.
> Instead, you can also use TCP proxies (like bsdproxy). It's up to you
> how much complexity do you want in your system, but for simplicity I
> would set up a single outward-facing IP address and then proxy TCP
> services where I need them.

Thanks for the helpful replies.  I am experimenting with some ideas on a
VM now.  It certainly does seem more logical to have the firewall, VPN and
NAT rules in the base system and everything else jailed.  I can just about
get by with Python and your script looks like it could be of use - thanks
for sharing it.

Matt.





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?903641d568b60e1b082b793cf1134f7d.squirrel>