Date: Tue, 31 May 2005 00:14:39 +0200 From: Emanuel Strobl <Emanuel.strobl@gmx.net> To: freebsd-current@freebsd.org Subject: different default gateway for jails planed/possible? Message-ID: <200505310014.50780@harrymail>
next in thread | raw e-mail | index | archive | help
--nextPart4448323.qGoan8ImES Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Dear all, will it be possible to define a different default gateway for a jail? Imagine a system with two interfaces, one for the host on a local GbE=20 Switch (with NFS service) and the other one connected to a different=20 DMZ-Switch which should serve different jails. Now the DMZ is useless since anybody who broke into one jail can reach all= =20 hosts on the "host" interface without having the possibillity to restrict=20 traffic on the router since the packets go straight to the GbE interface.=20 This is a big security disadvantage and if I block these packets I can't=20 any longer connect from machines inside the GbE network to the jails in=20 the DMZ. The request will be routed but answers go down the "host"=20 interface, instead to the DMZ router interface. Even a different default=20 gateway wouldn't help in this case, the kernel had to "keep in mind" that=20 packets from a jail mustn't be forwarded through any jail-foreign=20 interface. Also the usual routing table had to be overwritten since=20 packets from a jail should go over the router to the GbE network (although= =20 there is a well known route, the interface which has the GbE net=20 configured). But at least packets from a jail should be limited that they can't pass any= =20 other interface(s) than the one(s) which belong to the particular jail. I think PFs route-to next-hop rule would be a workarround for my problem =20 but I'm not too happy to have PF on a GbE Fileserver. Another jail question: Is it possible to limit resources on jail-basis?=20 Like resource restrictions for useres in login.conf only for whole jails. Thanks a lot, =2DHarry --nextPart4448323.qGoan8ImES Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCm5BaBylq0S4AzzwRAoMKAJ91tHCTC4PKsbx5zZtgwV1vn/dmqgCgjAH0 Yd256PCXo1sMAIg3tO/w0uQ= =34Vh -----END PGP SIGNATURE----- --nextPart4448323.qGoan8ImES--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505310014.50780>