From owner-freebsd-questions@FreeBSD.ORG Fri Feb 7 08:38:03 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 60A4DDF8 for ; Fri, 7 Feb 2014 08:38:03 +0000 (UTC) Received: from mail-qc0-x22b.google.com (mail-qc0-x22b.google.com [IPv6:2607:f8b0:400d:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 19ED21150 for ; Fri, 7 Feb 2014 08:38:03 +0000 (UTC) Received: by mail-qc0-f171.google.com with SMTP id n7so5322247qcx.16 for ; Fri, 07 Feb 2014 00:38:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=R/oZBL7dNIr0hfyHimuy/Q8y+5tsAqlqr+PWi/rWM1g=; b=qg+D+odKeQyBPJgxKv2VOhjey3ophPnN6n05bDKxgvgH3WBIrMVXdUgGxaAMnGK1kv QPLsXJ4bD3pQhtVXWattghmpFnc03gvib90+RS1rTcO5vH7mQjR1UOqbTbCNzbrdZYRP dLhEsk5K+qOOM+GDs9x9AcfiuEO9szxJp/MEn2BkY4kSy/E4xRZvrTPFtzbTc/8eR6sZ r9ZwoFQ0RTEs5tSc7mfUS/VkSePO2wApKwuck1PGGDz8khDBc1jj0MQYVjcT5dyMcyE2 BxX3QLoX5XgBgKdaC9ZmtJRNjNJ3mTZtr/GcS3Zl1t1Cud2dULNRAAp+VZ2GxR884n+x Kx+w== MIME-Version: 1.0 X-Received: by 10.224.167.143 with SMTP id q15mr18990179qay.97.1391762282237; Fri, 07 Feb 2014 00:38:02 -0800 (PST) Received: by 10.96.37.227 with HTTP; Fri, 7 Feb 2014 00:38:02 -0800 (PST) In-Reply-To: <52F3A8B7.3000608@ohlste.in> References: <52F3A8B7.3000608@ohlste.in> Date: Fri, 7 Feb 2014 08:38:02 +0000 Message-ID: Subject: Re: pf and jails From: krad To: Jim Ohlstein Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: FreeBSD Questions , Tyler Saylor X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Feb 2014 08:38:03 -0000 It might be worth looking at VIMAGE jails as then you get a dedicated network stack for each jail, and a lot of these issues will go away On 6 February 2014 15:22, Jim Ohlstein wrote: > Hello, > > > On 2/6/14, 9:34 AM, Tyler Saylor wrote: > >> Hello, >> >> I'm running FreeBSD 10-RELEASE on i386. I have setup a few jails for >> services such as httpd and postfix using ezjail. The host has one physical >> ethernet interface and I have five routeable IPv4 addresses; of the five, >> four are assigned to a jail and one is assigned to the host. I have a jail >> for mysql that is setup to use a clone of lo and the address "10.1.1.1". >> I'm also using pf to filter traffic to each service on the host. >> >> My question is this: How do I make it so that the other jails that are >> bound to routable addresses able to interact with the jail on 10.1.1.1? Is >> there some magic pf voodo I'm not understanding, or some mental deficiency >> I'm just now being made aware of? I've included my pf.conf and included an >> illustration. >> >> THanks for any help, >> //Tyler Saylor >> >> For illistration: >> >> Each pipe represents a real, routable ipv4 address assigned to the >> respective jail. The star represents the private address of the jail I'd >> like to be accesible from the others. >> >> em0--|--|--|--|--| lo1--* >> h w i m s m >> o w r a v y >> s w c i n s >> t l q >> l >> >> pf.conf >> >> http://pastebin.ca/2630464 >> > > > Assuming all of your jails are on the same loopback clone, and assuming > you have not set "skip-networking" in you rmy.cnf, they should be able to > talk to one another using the IP of the jail in question. > > Have you tried telnet? > > # telnet 10.1.1.1 3306 > > That should give a result like: > > Trying 10.1.1.1... > Connected to 10.1.1.1. > Escape character is '^]'. > N > ... > > In your app, you'll probably need to set the "database host" or similar to > the jail IP (10.1.1.1 in this case) rather than to "localhost". > > -- > Jim Ohlstein > > > "Never argue with a fool, onlookers may not be able to tell the > difference." - Mark Twain > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >