Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Jul 2020 08:46:07 -0400
From:      Ernie Luzar <luzar722@gmail.com>
To:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>,  "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>, David Mehler <dave.mehler@gmail.com>, Ernie Luzar <luzar722@gmail.com>
Subject:   vnet jail for local only or public access
Message-ID:  <5F119D8F.7030407@gmail.com>
In-Reply-To: <CAPORhP4oNhA2vT5UG2OtV=JDbwcUCdXsXxzQXjZKSg1Fc6qe2Q@mail.gmail.com>
References:  <CAPORhP5+Q8TX_DuwbdAfvqf97pX=SCRfgyOz+zvMqPdnJ2gmYA@mail.gmail.com> <CAPORhP6a=3+F_xnYP-bL2MWoRYqjU7zXhNHQg6q4Bgg4P71Xsg@mail.gmail.com> <5EFCD605.4000409@gmail.com> <CAPORhP7R26Y85-XjFXqKtAzr2A8RxHgK530CJzp8y73tcgjMDg@mail.gmail.com> <5EFD095F.4040507@gmail.com> <CAPORhP408Cmb2FG89VOpUJJZhGJ2KUG70+0pMnzyk3Xev4vi1Q@mail.gmail.com> <5F0119F3.40806@gmail.com> <CAPORhP7QpZ3=3iPfogcKsqf0gBtgLvOdbNLG9=-Hk=8XjNCrcA@mail.gmail.com> <5F049E65.8000701@gmail.com> <CAPORhP7q5s14qy7VcX0rSLbOimweh7aXZuqmPNzTSAchLOHe9w@mail.gmail.com> <5F0DEE4A.6080600@gmail.com> <CAPORhP74+VvsWQc-r7UX9pzuzOABxXeL3V1K7FEjJFDarMnyKQ@mail.gmail.com> <5F0F00EB.5010403@gmail.com> <CAPORhP4q6_vkxpPw3okKLmvsm9zPgUn6mDu1XT3x1U8q4uiuDw@mail.gmail.com> <5F0F0FBC.9020200@gmail.com> <CAPORhP77kh9VNR-ZP_1k_5vj-NM9dw1Vgxd3E_muVLNtiLsp6Q@mail.gmail.com> <5F0F152C.3040908@gmail.com> <CAPORhP4oNhA2vT5UG2OtV=JDbwcUCdXsXxzQXjZKSg1Fc6qe2Q@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Trying to figure out how to configure a vnet jail so it is restricted to 
only being able to talk to other vnet jails on the same host IE: local 
only vnet jails. As different to being able to access the public 
internet type of vnet jails.

Using the bridge/epair method of connecting vnet jails to the host.
[ based on this how-to ]
https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071/

It's my understanding that this behavior is controlled by if the hosts 
interface connected to the public internet is added as a member to the 
bridge the vnet jails epairXa interfaces were members of.

I tested this on a remote vm and found that it made no difference one 
way or the other if the hosts interface connected to the public internet 
was added as a member to the bridge or not. In both cases the vnet jail 
had public internet access.

On my home server I set up this scenario and observed the same behavior.

This behavior raises some questions.

Is it technically possible to segregate vnet jails into groups of vnet 
jails that are restricted to local host only access and another group 
that has public access?

If so what is the mechanism that controls this ability?

If I wanted both local only and public vnet jails on the same host I 
would think each group would need its own bridge. Where do we go from there?

Is my understanding correct and this is a bug in if_bridge?






Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?5F119D8F.7030407>