Date: Wed, 23 Dec 2009 09:06:33 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Mel Flynn <mel.flynn+fbsd.hackers@mailing.thruhere.net> Cc: freebsd-hackers@freebsd.org Subject: Re: Jail on 2 interfaces? Message-ID: <4B31DD99.7000103@infracaninophile.co.uk> In-Reply-To: <200912221734.05795.mel.flynn%2Bfbsd.hackers@mailing.thruhere.net> References: <200912221734.05795.mel.flynn%2Bfbsd.hackers@mailing.thruhere.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig865684A9E1C3B9922A02A608
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Mel Flynn wrote:
> Hi,
>=20
> I don't see this documented in jail(8) nor rc(8) nor defaults/rc.conf, =
so is=20
> it possible to have 2 IP's on 2 ethernet interfaces? And if so, is it s=
ettable=20
> for rc(8)?
>=20
> The usage case is to have the same jailed proxy server on two seperate =
> internal networks. Ideally, the proxy will use one address for outgoing=
, so I=20
> guess I'll need a default route or dive into the squid config.
>=20
> At present I have:
> ifconfig_bge0=3D"inet 192.168.177.60 netmask 255.255.255.0"
> ifconfig_em0=3D"inet 192.168.176.60 netmask 255.255.255.0"
> ifconfig_em0_alias0=3D"inet 192.168.176.62 netmask 255.255.255.255"
> jail_squid_rootdir=3D"/usr/squid"
> jail_squid_ip=3D"192.168.177.62"
> jail_squid_ip_multi0=3D"192.168.176.62"
> jail_squid_interface=3D"bge0"
>=20
> But this created the IP on bge0 even though one exists on em0. Is it as=
simple=20
> as not specifying the interface and add the 177.62 alias on bge0?
> Ideally I'd have a jail_$jail_ip_multi$aliasno_interface=3D"foo0", but =
my main=20
> worry is that the jail infrastructure understands the routing involved.=
To do this directly is now possible in 8.0-RELEASE or better. You will
need a custom kernel with 'options VIMAGE' and I believe the standard jai=
l
startup scripts need a bit of work in order for them to start the jail wi=
th
the correct command line arguments to enable the vnet functionality.
Note that vnet is /experimental/. It may eat your homework and blame it =
on
your dog. It is also known not to work yet with various subsystems which=
=20
haven't had the necessary recoding to understand the new kernel structure=
s.
Probably the most significant missing bit is pf(4).
Alternatively, you can achieve much the same effect that you want by usin=
g
a simple one-ip jail and writing firewall rules to redirect traffic into =
it,
and NAT traffic coming out of it.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig865684A9E1C3B9922A02A608
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAksx3Z8ACgkQ8Mjk52CukIwYBQCgiHrO5pslu2nIGkwO+2Npfdru
lroAoIgPGtFO7l90I0PmsMTbD5zu2mfh
=Yaeq
-----END PGP SIGNATURE-----
--------------enig865684A9E1C3B9922A02A608--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B31DD99.7000103>