Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Apr 2012 17:58:42 -0500
From:      Mark Felder <feld@feld.me>
To:        freebsd-questions@freebsd.org
Subject:   Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
Message-ID:  <op.wcp7f4kr34t2sn@cr48.lan>
In-Reply-To: <FEED68A4-0C10-4057-B37B-EEA780977F25@shire.net>
References:  <BCF3FB8D-7FF0-4CB4-8491-6472EDED96B2@shire.net> <op.wcpyqodb34t2sn@tech304> <FEED68A4-0C10-4057-B37B-EEA780977F25@shire.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Fri, 13 Apr 2012 15:53:49 -0500, Chad Leigh Shire.Net LLC  
<chad@shire.net> wrote:

> No NAT needed since they share the network stack under Jails v1 they  
> share the routing tables.  It works.  Try it.

You're clearly exploiting a bug in FreeBSD 6's jails. It must get confused  
and send your public IP on those packets. I have no idea how it processes  
the return traffic successfully, but "that's a neat trick!". There is no  
possible way for this to work without NAT or whatever bug this is. If a  
Jail has a 192.168 IP all packets would leave with a source of 192.168.  
When Google or whoever on the internet gets your packets it would see  
192.168 and probably drop it because that's not a publicly routable  
network.

Without NAT it's impossible for any device anywhere on the planet to  
access the internet with an RFC 1918 IP address.

I urge you to share your experience on the freebsd-jail@ mailing list.  
Those guys might be able to lend some further insight. I bet the change  
came with the update to jails that allows multiple IPs.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?op.wcp7f4kr34t2sn>