Date: Thu, 06 Feb 2014 10:22:31 -0500 From: Jim Ohlstein <jim@ohlste.in> To: Tyler Saylor <tyler@680x0.com> Cc: freebsd-questions@freebsd.org Subject: Re: pf and jails Message-ID: <52F3A8B7.3000608@ohlste.in> In-Reply-To: <CAEZtMDYgTned8uN0pJ1DstuHjOiNF3pu0cwZNwfjnL570tFxvQ@mail.gmail.com> References: <CAEZtMDYgTned8uN0pJ1DstuHjOiNF3pu0cwZNwfjnL570tFxvQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, On 2/6/14, 9:34 AM, Tyler Saylor wrote: > Hello, > > I'm running FreeBSD 10-RELEASE on i386. I have setup a few jails for > services such as httpd and postfix using ezjail. The host has one physical > ethernet interface and I have five routeable IPv4 addresses; of the five, > four are assigned to a jail and one is assigned to the host. I have a jail > for mysql that is setup to use a clone of lo and the address "10.1.1.1". > I'm also using pf to filter traffic to each service on the host. > > My question is this: How do I make it so that the other jails that are > bound to routable addresses able to interact with the jail on 10.1.1.1? Is > there some magic pf voodo I'm not understanding, or some mental deficiency > I'm just now being made aware of? I've included my pf.conf and included an > illustration. > > THanks for any help, > //Tyler Saylor > > For illistration: > > Each pipe represents a real, routable ipv4 address assigned to the > respective jail. The star represents the private address of the jail I'd > like to be accesible from the others. > > em0--|--|--|--|--| lo1--* > h w i m s m > o w r a v y > s w c i n s > t l q > l > > pf.conf > > http://pastebin.ca/2630464 Assuming all of your jails are on the same loopback clone, and assuming you have not set "skip-networking" in you rmy.cnf, they should be able to talk to one another using the IP of the jail in question. Have you tried telnet? # telnet 10.1.1.1 3306 That should give a result like: Trying 10.1.1.1... Connected to 10.1.1.1. Escape character is '^]'. N ... In your app, you'll probably need to set the "database host" or similar to the jail IP (10.1.1.1 in this case) rather than to "localhost". -- Jim Ohlstein "Never argue with a fool, onlookers may not be able to tell the difference." - Mark Twain
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52F3A8B7.3000608>