Date: Fri, 2 Aug 2013 14:44:47 -0600 From: Josh Beard <josh@signalboxes.net> To: Fbsd8 <fbsd8@a1poweruser.com> Cc: freebsd-jail@freebsd.org Subject: Re: Starting jail breaks routing / multi-network jail Message-ID: <CAHDrHSv7t7f3Sdje1WFy%2BjgDjEtAdgLcKHnT4PCrK0L4Op0OPw@mail.gmail.com> In-Reply-To: <51FBAE91.7030205@a1poweruser.com> References: <CAHDrHStCng%2Bzg=_RThWysgRm5wD=DxxzJQz=%2BoZL8JwbX%2BXh7w@mail.gmail.com> <51FBAE91.7030205@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the advice, but not totally correct. On Fri, Aug 2, 2013 at 7:05 AM, Fbsd8 <fbsd8@a1poweruser.com> wrote: > Josh Beard wrote: > >> Hello, >> >> I posted this on forums.freebsd.org ( >> http://forums.freebsd.org/**showthread.php?t=41135<http://forums.freebsd.org/showthread.php?t=41135>), >> but figured I may have >> better luck here. >> >> <--snipped--> > > > > Let me start of by saying I an no network expert. This is my understanding > of how jail works. > > 1. There are 2 ways to define jails, the legacy rc.d-script method where > the jail description parameters are in /etc/rc.conf and the jail(8) method > that finally has all the bugs fixed in 9.2 where the jail description > parameters are in /etc/jail.conf. These 2 methods can not be mixed together. > > 2. By design normal jails defined using either method ONLY access an > single NIC having a single or multiple IPv4/IPv6 ip address/addresses. > > 3. The only way to assign multiple NICs to a jail is by using the highly > experimental vimage software that has to be compiled into the hosts kernel > which limits the host to only using IPFW firewall. PF and IPF firewalls on > the host with vimage will case a hang. > No - I'm using multiple NICs on my jails with different addresses without using vimage. > > 4. fib's are only configured on the host, it takes an boot option or the > kernel has to be recompiled to increase the number of system fibs available > to the host before you can assign a second one to a jail. > > 5. This is incorrect syntax > ip="igb0|172.30.112.192,igb1|**24.111.1.a" > should be > ip="172.30.112.192,24.111.1.a" > No nic device name. Not issuing a error does not mean its correct. > That *does* work! Again, I'm using ezjail. Not sure how stock jail configuration is. > > My jail system has 4 LAN only jails that have outbound access to the > public internet and 2 public accessible jails for my web and email servers > using the same public routable dynamic IPv4 IP address assigned by my ISP > without the need for special host firewall port redirection. > > I use the qjail version 3.1 utility to admin my jail system. > Due to the 9.2-BETA port freeze qjail-3.2 which adds IPv6 support has not > been committed to the port system yet. > > The port-make-files can be downloaded from here > http://sourceforge.net/**projects/qjail/files/Port%**20make%20files/<http://sourceforge.net/projects/qjail/files/Port%20make%20files/>; > > Good luck. > > > Thanks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHDrHSv7t7f3Sdje1WFy%2BjgDjEtAdgLcKHnT4PCrK0L4Op0OPw>