From owner-freebsd-questions Sat Apr 13 22: 2:10 2002 Delivered-To: freebsd-questions@freebsd.org Received: from web20605.mail.yahoo.com (web20605.mail.yahoo.com [216.136.226.163]) by hub.freebsd.org (Postfix) with SMTP id 752C537B404 for ; Sat, 13 Apr 2002 22:02:07 -0700 (PDT) Message-ID: <20020414050207.49325.qmail@web20605.mail.yahoo.com> Received: from [209.173.210.209] by web20605.mail.yahoo.com via HTTP; Sat, 13 Apr 2002 22:02:07 PDT Date: Sat, 13 Apr 2002 22:02:07 -0700 (PDT) From: Jon Reply-To: cykyc@yahoo.com Subject: jail, FreeBSD 4.5 -S, IP forwarding, thoughts To: questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG How difficult would it be in -STABLE to implement the following concept via some on/off knob? - if enabled, allow ip forwarding on the host system & not allow jails to ip forward between other jails or the host system. I would assume then the following idea would work: a jail running on an aliased IP that has a direct route out the network would have no way to access any non-routeable addresses outside its network on the local host, but the host system could still forward IP internally to/from its other networks. While the idea could be implemented with firewall ACL's, it seems if the idea does work, it would add an additional layer of network security to the jails that is always consistent with each and every jail (if wanted). If aliasing needs to have IP forwarding, then this idea is invalid. I didn't see any reference from ifconfig(8) or jail(8) man pages. I'm no wizard w/ the source, so I didn't check. Just a thought... Jon __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message