From owner-freebsd-current@FreeBSD.ORG Mon May 30 22:14:55 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1744216A41C for ; Mon, 30 May 2005 22:14:55 +0000 (GMT) (envelope-from Emanuel.strobl@gmx.net) Received: from mail.gmx.net (pop.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 5C87043D4C for ; Mon, 30 May 2005 22:14:53 +0000 (GMT) (envelope-from Emanuel.strobl@gmx.net) Received: (qmail invoked by alias); 30 May 2005 22:14:52 -0000 Received: from flb.schmalzbauer.de (EHLO cale.flintsbach.schmalzbauer.de) [62.245.232.135] by mail.gmx.net (mp006) with SMTP; 31 May 2005 00:14:52 +0200 X-Authenticated: #301138 From: Emanuel Strobl To: freebsd-current@freebsd.org Date: Tue, 31 May 2005 00:14:39 +0200 User-Agent: KMail/1.8 X-Birthday: Oct. 6th 1972 X-CelPhone: +49 (0) 173 9967781 X-Tel: +49 (0) 89 18947781 X-Country: Germany X-Address: Munich, 80686 X-OS: FreeBSD MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4448323.qGoan8ImES"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200505310014.50780@harrymail> X-Y-GMX-Trusted: 0 Subject: different default gateway for jails planed/possible? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2005 22:14:55 -0000 --nextPart4448323.qGoan8ImES Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Dear all, will it be possible to define a different default gateway for a jail? Imagine a system with two interfaces, one for the host on a local GbE=20 Switch (with NFS service) and the other one connected to a different=20 DMZ-Switch which should serve different jails. Now the DMZ is useless since anybody who broke into one jail can reach all= =20 hosts on the "host" interface without having the possibillity to restrict=20 traffic on the router since the packets go straight to the GbE interface.=20 This is a big security disadvantage and if I block these packets I can't=20 any longer connect from machines inside the GbE network to the jails in=20 the DMZ. The request will be routed but answers go down the "host"=20 interface, instead to the DMZ router interface. Even a different default=20 gateway wouldn't help in this case, the kernel had to "keep in mind" that=20 packets from a jail mustn't be forwarded through any jail-foreign=20 interface. Also the usual routing table had to be overwritten since=20 packets from a jail should go over the router to the GbE network (although= =20 there is a well known route, the interface which has the GbE net=20 configured). But at least packets from a jail should be limited that they can't pass any= =20 other interface(s) than the one(s) which belong to the particular jail. I think PFs route-to next-hop rule would be a workarround for my problem =20 but I'm not too happy to have PF on a GbE Fileserver. Another jail question: Is it possible to limit resources on jail-basis?=20 Like resource restrictions for useres in login.conf only for whole jails. Thanks a lot, =2DHarry --nextPart4448323.qGoan8ImES Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCm5BaBylq0S4AzzwRAoMKAJ91tHCTC4PKsbx5zZtgwV1vn/dmqgCgjAH0 Yd256PCXo1sMAIg3tO/w0uQ= =34Vh -----END PGP SIGNATURE----- --nextPart4448323.qGoan8ImES--