Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 19 Nov 2009 11:29:20 +0700
From:      Michael Svobodin <admik@admik.pp.ru>
To:        questions@freebsd.org
Subject:   Re: jail - beginner questions
Message-ID:  <20091119042920.GA16531@b.admik.pp.ru>
In-Reply-To: <4B03ABBC.8020008@shopzeus.com>
References:  <4B02A81F.1030101@shopzeus.com> <44tyws3n28.fsf@be-well.ilk.org> <4B02E742.4010705@shopzeus.com> <20091118044836.GA70999@b.admik.pp.ru> <4B03ABBC.8020008@shopzeus.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Nov 18, 2009 at 09:09:32AM +0100, Laszlo Nagy wrote:

> Great. Here is what I did:
> 
> sorb# mkdir -p /usr/jails/vm1
> sorb# cd /usr/src
> sorb# setenv D /usr/jails/vm1
> sorb# make installworld DESTDIR=$D
> sorb# make distribution DESTDIR=$D
> sorb# cat >> /etc/rc.conf
> 
> jail_enable="YES"
> jail_list="vm1"
> jail_vm1_rootdir="/usr/jails/vm1"
> jail_vm1_hostname="vm1.localdomain"
> jail_vm1_ip="192.168.0.11"
> jail_vm1_interface="lnc0"
> jail_vm1_devfs_enable="YES"
> jail_vm1_devfs_ruleset="vm1_ruleset"
> 
> ^D
> sorb#mount -t devfs devfs $D /dev
> sorb# /etc/rc.d/jail start vm1
> Configuring jails:.
> Starting jails:ifconfig: interface lnc0 does not exist
> vm1.localdomain.
> 
> See, I do not understand how this works. If I use a real physical 
> interface then it works:
> 
> sorb# ifconfig
> re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>    
> options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
>    ether 00:1a:4d:7b:cf:d6
>    inet X.X.X.X netmask 0xffffff00 broadcast X.X.X.255
>    inet 192.168.0.11 netmask 0xffffffff broadcast 192.168.0.11
>    media: Ethernet autoselect (100baseTX <full-duplex>)
>    status: active

I thought that your physical interface is the lnc0 on the host FreeBSD.
The jail startup script doesn't create any interfaces itself.
It uses any interface that extists in the host OS, and sets the ip address on it.
So, you can use either re0 or lo0. 

> where X.X.X.X is my public internet IP address. But I do not like this. 
> I do not want to expose my jail's private IP address to the internet. Am 
> I too paranoid? Should I just add rules like
> 
> ipfw add 1000 allow all from X.X.X.X to 192.168.0.11
> ipfw add 1001 allow all from 192.168.0.11 to X.X.X.X
> ipfw add 1002 deny all from any to 192.168.0.11
> ipfw add 1003 deny all from 192.168.0.11 to any
> 
> and be happy? Or would it be better to create a virtual ethernet 
> interface for my jails? Somehow?

If you want to hide your jail then you can use the interface lo0.
jail_vm1_interface="lo0"

Suppose that your public ip address is 192.168.201.50.

Then start the natd:
# natd -a 192.168.201.50

and add to ipfw these divert rules:
# ipfw add 10 divert natd all from any to 192.168.201.50 in
# ipfw add 20 divert natd all from 192.168.0.11 to any out

after that add to ipfw rules to allow the traffic diverted above
or you can allow all for testing:
# ipfw add 30 allow all from any to any


Now your jail is hidden from the outer network.
But inside the jail the network is working.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20091119042920.GA16531>