Re: vnet jail for local only or public access

Mon, 20 Jul 2020 01:37:03 -0700

Quoting Ernie Luzar <luzar...@gmail.com> (from Fri, 17 Jul 2020 16:31:53 -0400): 


Alexander Leidinger wrote:
Quoting Ernie Luzar <luzar...@gmail.com> (from Fri, 17 Jul 2020 08:46:07 -0400): 


Trying to figure out how to configure a vnet jail so it is  
restricted to only being able to talk to other vnet jails on the  
same host IE: local only vnet jails. As different to being able to  
access the public internet type of vnet jails.


Using the bridge/epair method of connecting vnet jails to the host.
[ based on this how-to ]

https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071/ It's my understanding that this behavior is controlled by if the hosts interface connected to the public internet is added as a member to the bridge the vnet jails epairXa interfaces were members  
of.



Partly correct. You can also have a setup where your host is  
routing between what you call the public internet and the local  
only vnets.



I tested this on a remote vm and found that it made no difference  
one way or the other if the hosts interface connected to the  
public internet was added as a member to the bridge or not. In  
both cases the vnet jail had public internet access.


It shouldn't, if there is no routing involved.

Please show us "ifconfig -a" and "netstat -rn" of the host.

Bye,
Alexander.



root >netstat -rn4
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            65.25.48.1         UGS         re0
10.0.0.0/8         link#1             U           em0
10.0.10.2          link#1             UHS         lo0
10.0.20.0/24       link#5             U      bridge10


You have a routing table entry for the bridge on the host.


10.0.20.2          link#5             UHS         lo0
xxx.25.48.0/20     link#2             U           re0
xxx.25.51.0        link#2             UHS         lo0
127.0.0.1          link#3             UH          lo0
/root >
/root >ifconfig -a



bridge10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric  
0 mtu 1500

        description: qjail-vnet-jail-only-bridge
        ether 02:3e:ba:a7:58:0a
        inet 10.0.20.2 netmask 0xffffff00 broadcast 255.255.255.0
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epair4a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 6 priority 128 path cost 2000
        groups: bridge
        nd6 options=1<PERFORMNUD>


Your bridge has an IP address.


Both together: I suspect your host is routing between your jail and  
the outside.



If you remove the IP address from the bridge, you should have a  
jails-on-the-bridge-only setup.


Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netch...@freebsd.org  : PGP 0x8F31830F9F2772BF



Attachment:
pgpFJi7GXR4a6.pgp

Description: Digitale PGP-Signatur






















					Reply via email to