David Allen wrote:

There was a post recently (Matthew Seaman's name comes to mind) that
suggested binding jails to addresses in the loopback range and then
using firewall rules to redirect the traffic accordingly.  There's a
possibility that may help in this case, but that layer of added
complexity isn't much of an improvement over seeing connections with
seemingly identical endpoints and interpreting the results in my head.


Guilty as charged M'lud.

However what I recommended was a more-than-slightly hacky way to achieve three things:

  * Something like a loopback address inside the jail.  It may be
    127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
    to use it for loopback style things.

  * The ability to map several IPs onto the jailed system by use of
    NAT and redirect within firewall rules

  * The ability to have a jail with /no/ external IP for when the
    paranoia becomes unbearable[*].

Of course, all this will be immediately obsoleted by Marco Zec's work
on virtualizing the IP stack.  http://imunes.tel.fer.hr/virtnet/

        Cheers,

        Matthew

[*] Combine this with a Hardware Load Balancer that does Direct Server
Return and you can have a publicly accessible jailed server with /no external IP address/.
--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                 Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to