Re: deploy multiple vnets with VIMAGE/VNET + Production Ready?

Mon, 30 May 2016 19:46:08 -0700 

I thank you all for your fast and kind reply!
I was in spite of building some kind of API above pf(4) to let each jail act as 
a tenant firewall... Maybe I should wait to 11-RELEASE birth to go for it... 
Meanwhile I think I'll get over it with an API/framework that can handle pf 
with its anchor files doing basic VLAN acls as a virtual way of achieving this, 
aside security concerns...



      De: wishmaster <[email protected]>
 Para: Sebastián Maruca <[email protected]> 
CC: [email protected]
 Enviado: Lunes, 30 de mayo, 2016 15:31:27
 Asunto: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready?
   

Hi,

> Hi to everyone!
> I want to deploy several "jailed" firewalls, where each one of them would 
> contain at least three multiple virtual interfaces (associated with virtual 
> internal nets) like "WAN", "LAN" and "DMZ" for example...
> First *innocent* question (I beg you pardon for my ignorance dealing with 
> jails!) Can vnet/vimage help me deploy such a complex jailed environment???
  Yes. If you need help you can email me privately.

> Secod *innocent* question, so far so good, reading at jail manpage (circa 
> July 6, 2015/FreeBSD 10.3) it seems VNET/VIMAGE is fully integrated to the 
> FreeBSD kernel, is VNET/VIMAGE ready for production level???
 
Yes. I have been using vneted Jail from 10.0 in quite complex scenarios. Yes, 
there are some open issues with vnet (pf, memory leak on stopping jail and so 
on), but I think in 11-RELEASE this bugs will be fixed. Currently Bjorn Zeeb 
works on this problems. See https://svnweb.freebsd.org/base/projects/vnet/
But for now, you can safely use vnet. Just use IPFW and do not start/stop jails 
needlessly.

> As a side note, at the host level would a be some kind of API/service that 
> would deal with pfctl in order to rule flows between all of them...
> Best regards,Seba

--
Vitaliy
 
 
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[email protected]"


  
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[email protected]"

Reply via email to