On 4/25/14, 7:23 AM, Rob J wrote:
Hi,
I have been playing with vnet jails, and have a configuration working that
I thought would not be (based on the docs out there), but it is. I have a
box with 3 NICS - hme0, em0 and em1. Basically, with the assumption that
the internet facing gateway is potentially a weak point, I set out to
configure a jail on the above box to be the gateway, rather than the
physical host itself. I recompiled the kernel, with the VIMAGE option, and
setup a jail that uses em0 (192.168.x.y) as the lan side and hme0 (public
IP a.b.c.d) is the ISP side.
Conceptually, the normal base system is just a single instance of a
vnet jail,
so any situation that you can do with a separate machine as router should
be doable with a vnet jail in that role.
the error messages you see are because some sysctls can not be done
from within a jail.
there may be a setting to allow them to happen in a jail... I have not
checked.
you may attach your regular 'base' system to teh jail using a
physical ethernet,
or it may have a shortcut with it's own epair or netgraph link to the
router instance.
this is exactly the sort of situation we wanted to write vnets for..
On the jail itself, its default route to the internet is public IP a.b.c.e
(same network of interface hme0 above). Then I set the rest of my lan to
point to 192.168.x.y (interface em0 above) as the default gateway. I have
access to the internet with that configuration, routing through the jail
(or at least I think so) - everything seems to work. The two errors I get
upon starting the jail, are: "sysctl: net.inet.ip.sourceroute not
permitted" and "sysctl: net.inet.ip.accept_sourceroute not permitted. Any
body knows what may be broken with my configuration? All the docs I read
about having a jail route traffic seemed to imply it is undoable.
Did I create a glaring whole in my network by having this design as my
firewall and router? I also noticed that the physical host is doing all
the logging for dmesg and security, when I thought the jail would, but it
is beginning to make sense that the kernel is only running on the physical
host, and therefore does the logging of all kernel related activities.
Any comments or suggestions welcome.
Thanks,
Robert
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[email protected]"
