Date: Thu, 24 Apr 2014 18:23:17 -0500 From: Rob J <rjohanne@gmail.com> To: freebsd-net@freebsd.org Subject: vnet - using a jail as a default firewall gateway to internet Message-ID: <CAEsfORzK3TftMgEzToxCb=mos1=K2_aO4jVZ=VgGXqFoxc6Mug@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, I have been playing with vnet jails, and have a configuration working that I thought would not be (based on the docs out there), but it is. I have a box with 3 NICS - hme0, em0 and em1. Basically, with the assumption that the internet facing gateway is potentially a weak point, I set out to configure a jail on the above box to be the gateway, rather than the physical host itself. I recompiled the kernel, with the VIMAGE option, and setup a jail that uses em0 (192.168.x.y) as the lan side and hme0 (public IP a.b.c.d) is the ISP side. On the jail itself, its default route to the internet is public IP a.b.c.e (same network of interface hme0 above). Then I set the rest of my lan to point to 192.168.x.y (interface em0 above) as the default gateway. I have access to the internet with that configuration, routing through the jail (or at least I think so) - everything seems to work. The two errors I get upon starting the jail, are: "sysctl: net.inet.ip.sourceroute not permitted" and "sysctl: net.inet.ip.accept_sourceroute not permitted. Any body knows what may be broken with my configuration? All the docs I read about having a jail route traffic seemed to imply it is undoable. Did I create a glaring whole in my network by having this design as my firewall and router? I also noticed that the physical host is doing all the logging for dmesg and security, when I thought the jail would, but it is beginning to make sense that the kernel is only running on the physical host, and therefore does the logging of all kernel related activities. Any comments or suggestions welcome. Thanks, Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEsfORzK3TftMgEzToxCb=mos1=K2_aO4jVZ=VgGXqFoxc6Mug>