David Allen wrote:
There was a post recently (Matthew Seaman's name comes to mind) that suggested binding jails to addresses in the loopback range and then using firewall rules to redirect the traffic accordingly. There's a possibility that may help in this case, but that layer of added complexity isn't much of an improvement over seeing connections with seemingly identical endpoints and interpreting the results in my head.
Guilty as charged M'lud.However what I recommended was a more-than-slightly hacky way to achieve three things:
* Something like a loopback address inside the jail. It may be 127.0.0.2 instead of 127.0.0.1 but most software can be persuaded to use it for loopback style things. * The ability to map several IPs onto the jailed system by use of NAT and redirect within firewall rules * The ability to have a jail with /no/ external IP for when the paranoia becomes unbearable[*]. Of course, all this will be immediately obsoleted by Marco Zec's work on virtualizing the IP stack. http://imunes.tel.fer.hr/virtnet/ Cheers, Matthew [*] Combine this with a Hardware Load Balancer that does Direct ServerReturn and you can have a publicly accessible jailed server with /no external IP address/.
-- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
Description: OpenPGP digital signature