Date: Fri, 25 Apr 2014 13:39:46 +0800 From: Julian Elischer <julian@freebsd.org> To: Rob J <rjohanne@gmail.com>, freebsd-net@freebsd.org Subject: Re: vnet - using a jail as a default firewall gateway to internet Message-ID: <5359F522.5080905@freebsd.org> In-Reply-To: <CAEsfORzK3TftMgEzToxCb=mos1=K2_aO4jVZ=VgGXqFoxc6Mug@mail.gmail.com> References: <CAEsfORzK3TftMgEzToxCb=mos1=K2_aO4jVZ=VgGXqFoxc6Mug@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/25/14, 7:23 AM, Rob J wrote: > Hi, > > I have been playing with vnet jails, and have a configuration working that > I thought would not be (based on the docs out there), but it is. I have a > box with 3 NICS - hme0, em0 and em1. Basically, with the assumption that > the internet facing gateway is potentially a weak point, I set out to > configure a jail on the above box to be the gateway, rather than the > physical host itself. I recompiled the kernel, with the VIMAGE option, and > setup a jail that uses em0 (192.168.x.y) as the lan side and hme0 (public > IP a.b.c.d) is the ISP side. Conceptually, the normal base system is just a single instance of a vnet jail, so any situation that you can do with a separate machine as router should be doable with a vnet jail in that role. the error messages you see are because some sysctls can not be done from within a jail. there may be a setting to allow them to happen in a jail... I have not checked. you may attach your regular 'base' system to teh jail using a physical ethernet, or it may have a shortcut with it's own epair or netgraph link to the router instance. this is exactly the sort of situation we wanted to write vnets for.. > On the jail itself, its default route to the internet is public IP a.b.c.e > (same network of interface hme0 above). Then I set the rest of my lan to > point to 192.168.x.y (interface em0 above) as the default gateway. I have > access to the internet with that configuration, routing through the jail > (or at least I think so) - everything seems to work. The two errors I get > upon starting the jail, are: "sysctl: net.inet.ip.sourceroute not > permitted" and "sysctl: net.inet.ip.accept_sourceroute not permitted. Any > body knows what may be broken with my configuration? All the docs I read > about having a jail route traffic seemed to imply it is undoable. > > Did I create a glaring whole in my network by having this design as my > firewall and router? I also noticed that the physical host is doing all > the logging for dmesg and security, when I thought the jail would, but it > is beginning to make sense that the kernel is only running on the physical > host, and therefore does the logging of all kernel related activities. > > Any comments or suggestions welcome. > > Thanks, > > Robert > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5359F522.5080905>