From owner-freebsd-questions@freebsd.org Thu Jan 5 19:02:58 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22E8DCA1AFA for ; Thu, 5 Jan 2017 19:02:58 +0000 (UTC) (envelope-from robroy@robroygregg.com) Received: from mail.robroygregg.com (173-13-147-189-sfba.hfc.comcastbusiness.net [173.13.147.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DAEB31355 for ; Thu, 5 Jan 2017 19:02:57 +0000 (UTC) (envelope-from robroy@robroygregg.com) Received: from beak.h.net (beak.h.net [192.168.32.10]) by mail.robroygregg.com (OpenSMTPD) with ESMTP id 51722e0b; Thu, 5 Jan 2017 10:56:15 -0800 (PST) Date: Thu, 5 Jan 2017 10:56:15 -0800 (PST) From: Robroy Gregg X-X-Sender: robroy@beak.h.net To: Ernie Luzar cc: "freebsd-questions@freebsd.org" Subject: Re: jails & network/firewall setup In-Reply-To: <586DD349.8000703@gmail.com> Message-ID: References: <586DD349.8000703@gmail.com> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 19:02:58 -0000 Good day Ernie, On Thu, 5 Jan 2017, Ernie Luzar wrote: > Finally got myself a static IP address added to the dynamic IP address > already assigned by my ISP. Both have their own unique domain names pointing > to them and going to the same MAC address modem. Yes I run ddclient to insure > the dynamic IP address and it's domain name are keep in sync. When I do a > ifconfig command I see the NIC facing the public internet has those 2 IP > address listed. > > If I assign the static IP address to a jail, will all traffic travailing on > that IP address be seen only by that jail without any firewall NAT forwarding > rules being used? Yes, packets destined for the jail your static IP's assigned to should reach jailed processes without requiring NAT. You probably already know about this point, yet regarding whether traffic will be seen only by the jail or not--though you won't need NAT, it'll still be necessary for you to configure daemons on your host system to associate only with your dynamic IP; otherwise, they may also associate with your static IP, which will make a confusing and/or insecure mixture of jailed and base processes available on the static IP. For instance, both OpenSSH and the NFS server associate themselves with all IPs on the computer, by default (and this would include your jail's static IP, despite these processes running in the host system, and not in the jail). And I don't know of any slick way to configure daemons in general to associate with a specific, yet dynamically assigned IP (but maybe you do). > IE: assuming there are no firewall rules blocking traffic on that IP > address. > > Lets state it a different way. Does all traffic targeted for a jail need to > have firewall NAT rules by IP address and port number to forward just the > desired port number traffic to that jail? No, if I've understood your networking configuration correctly, you won't need NAT. If your jail were assigned only an internal, private IP address, then getting traffic destined for your public, static IP to the jail and back would require NAT. Happiness to you Ernie, Robroy