Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 7 Feb 2014 08:38:02 +0000
From:      krad <kraduk@gmail.com>
To:        Jim Ohlstein <jim@ohlste.in>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>, Tyler Saylor <tyler@680x0.com>
Subject:   Re: pf and jails
Message-ID:  <CALfReyd%2BmLsEwBVFVuEzXRyU6WVUZ-%2BLw6j5OG_=Ozwt-xB%2BZw@mail.gmail.com>
In-Reply-To: <52F3A8B7.3000608@ohlste.in>
References:  <CAEZtMDYgTned8uN0pJ1DstuHjOiNF3pu0cwZNwfjnL570tFxvQ@mail.gmail.com> <52F3A8B7.3000608@ohlste.in>

next in thread | previous in thread | raw e-mail | index | archive | help
It might be worth looking at VIMAGE jails as then you get a dedicated
network stack for each jail, and a lot of these issues will go away


On 6 February 2014 15:22, Jim Ohlstein <jim@ohlste.in> wrote:

> Hello,
>
>
> On 2/6/14, 9:34 AM, Tyler Saylor wrote:
>
>> Hello,
>>
>> I'm running FreeBSD 10-RELEASE on i386. I have setup a few jails for
>> services such as httpd and postfix using ezjail. The host has one physical
>> ethernet interface and I have five routeable IPv4 addresses; of the five,
>> four are assigned to a jail and one is assigned to the host. I have a jail
>> for mysql that is setup to use a clone of lo and the address "10.1.1.1".
>> I'm also using pf to filter traffic to each service on the host.
>>
>> My question is this: How do I make it so that the other jails that are
>> bound to routable addresses able to interact with the jail on 10.1.1.1? Is
>> there some magic pf voodo I'm not understanding, or some mental deficiency
>> I'm just now being made aware of? I've included my pf.conf and included an
>> illustration.
>>
>> THanks for any help,
>> //Tyler Saylor
>>
>> For illistration:
>>
>> Each pipe represents a real, routable ipv4 address assigned to the
>> respective jail. The star represents the private address of the jail I'd
>> like to be accesible from the others.
>>
>> em0--|--|--|--|--|  lo1--*
>>         h w i  m s       m
>>         o w r  a v        y
>>         s w c i  n        s
>>         t        l           q
>>                              l
>>
>> pf.conf
>>
>> http://pastebin.ca/2630464
>>
>
>
> Assuming all of your jails are on the same loopback clone, and assuming
> you have not set "skip-networking" in you rmy.cnf, they should be able to
> talk to one another using the IP of the jail in question.
>
> Have you tried telnet?
>
> # telnet 10.1.1.1 3306
>
> That should give a result like:
>
> Trying 10.1.1.1...
> Connected to 10.1.1.1.
> Escape character is '^]'.
> N
> ...
>
> In your app, you'll probably need to set the "database host" or similar to
> the jail IP (10.1.1.1 in this case) rather than to "localhost".
>
> --
> Jim Ohlstein
>
>
> "Never argue with a fool, onlookers may not be able to tell the
> difference." - Mark Twain
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALfReyd%2BmLsEwBVFVuEzXRyU6WVUZ-%2BLw6j5OG_=Ozwt-xB%2BZw>