Date: Sat, 13 Apr 2002 22:02:07 -0700 (PDT) From: Jon <cykyc@yahoo.com> To: questions@freebsd.org Subject: jail, FreeBSD 4.5 -S, IP forwarding, thoughts Message-ID: <20020414050207.49325.qmail@web20605.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
How difficult would it be in -STABLE to implement the following concept via some on/off knob? - if enabled, allow ip forwarding on the host system & not allow jails to ip forward between other jails or the host system. I would assume then the following idea would work: a jail running on an aliased IP that has a direct route out the network would have no way to access any non-routeable addresses outside its network on the local host, but the host system could still forward IP internally to/from its other networks. While the idea could be implemented with firewall ACL's, it seems if the idea does work, it would add an additional layer of network security to the jails that is always consistent with each and every jail (if wanted). If aliasing needs to have IP forwarding, then this idea is invalid. I didn't see any reference from ifconfig(8) or jail(8) man pages. I'm no wizard w/ the source, so I didn't check. Just a thought... Jon __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020414050207.49325.qmail>