From owner-freebsd-stable@FreeBSD.ORG Wed Jan 31 11:53:57 2007 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 848F816A400 for ; Wed, 31 Jan 2007 11:53:57 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.freebsd.org (Postfix) with ESMTP id E9E0C13C49D for ; Wed, 31 Jan 2007 11:53:56 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (jajcho@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id l0VBrnUQ068133; Wed, 31 Jan 2007 12:53:54 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id l0VBrn4D068132; Wed, 31 Jan 2007 12:53:49 +0100 (CET) (envelope-from olli) Date: Wed, 31 Jan 2007 12:53:49 +0100 (CET) Message-Id: <200701311153.l0VBrn4D068132@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG, jeff@sailorfej.net In-Reply-To: <45C06A42.6000001@sailorfej.net> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.2-20060425 ("Shillay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Wed, 31 Jan 2007 12:53:54 +0100 (CET) Cc: Subject: Re: jails and multple interfaces X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG, jeff@sailorfej.net List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jan 2007 11:53:57 -0000 Jeffrey Williams wrote: > I am trying to set a jail hosting server to support multiple jails for > development testing. > > The server has two network interfaces, I am configuring one for host > server to use, and the other with several aliased IPs, one for each of > the jail servers. > > All the services running on the host are configured to bind to the host > IP on the first interface. > > The crux is both interfaces on the same network, I am seeing the > expected arp errors (e.g. kernel: arp: x.x.x.x is on int0 but got reply > on int1), now I know I set the sysctl variable > net.link.ether.inet.log_arp_wrong_iface=0 to get rid of these messages, > but what I want to know if there are any other problems I am going to > have having both interfaces live on the same network. What exactly are your inetrface configurations and netmasks (ifconfig output might be useful)? You say that both NICs are on teh same network. Does that mean they're connected to teh same switch? That's generally not a good idea. It doesn't buy you anything (unless you use VLAN technology or other additional measures). > Also even though > I have the jail host's services all binding to the first interfaces ip, > there is not guarantee that network traffic originating from the jail > host will only use its primary interface/IP, is their anyway to ensure > that the jail host does not try to talk through the interface being used > by the jails? Any network traffic originating from a jail is guaranteed to use the jail's IP address. The interface that will be used is the one according to your routing table entry for that IP address. (Unless you use things like IPFW FWD or similar to redirect the packets somewhere else.) Best regards Oliver PS: Be very careful when binding services to localhost (127.0.0.1) within the jail. They will listen on the jail's official IP address instead! For that reason I often configure an addition address on lo0 (e.g. 127.0.0.2) and use that one for internal-only traffic such as DNS and mail between host and jails. -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, USt-Id: DE204219783 Any opinions expressed in this message are personal to the author and may not necessarily reflect the opinions of secnetix GmbH & Co KG in any way. FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "In My Egoistical Opinion, most people's C programs should be indented six feet downward and covered with dirt." -- Blair P. Houghton