Date: Thu, 29 Jan 2009 00:18:31 +0100 (CET) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-stable@FreeBSD.ORG, marck@rinet.ru Subject: Re: jail: external and localhost distinction Message-ID: <200901282318.n0SNIVOd021935@lurza.secnetix.de> In-Reply-To: <alpine.BSF.2.00.0901290021000.91263@woozle.rinet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Dmitry Morozovsky wrote: > am I right concluding that under FreeBSD jail there is no way to attach two > processes to the same port of external interface address and localhost? It depends. Do those jailed processes have to communicate with each other, or only with the host system? If they do _not_ have to communicate with each other, it's easy. You have to put the second jail on a locahost IP address (not necessarily 172.1; you can create an alias on lo0 like 127.2 or similar). If they have to communicate with each other, it gets more complicated. If they need to communicate directly, you must put both jails on the same IP address, but then you cannot bind the processes to different IP addresses. Note that locahost is not handled specially within jails: If you try to bind a process to a localhost IP, it is forced to bind to the jail's IP instead. That's what is causing your error message: > [Thu Jan 29 00:09:32 2009] [crit] (48)Address already in use: make_sock: could > not bind to address 127.0.0.1 port 80 If they do have to communicate with each other, but you need the jails to be on different IP addresses, there are several ways to solve the problem, but they all smell a bit like a dirty hack. One way (probably the easiest one) is to forward packets between the jails using IPFW "fwd" rules (or IPF ipnat "rdr" rules, or PF translation rules). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd I suggested holding a "Python Object Oriented Programming Seminar", but the acronym was unpopular. -- Joseph Strout
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901282318.n0SNIVOd021935>