On Wed, Nov 18, 2009 at 09:09:32AM +0100, Laszlo Nagy wrote: > Great. Here is what I did: > > sorb# mkdir -p /usr/jails/vm1 > sorb# cd /usr/src > sorb# setenv D /usr/jails/vm1 > sorb# make installworld DESTDIR=$D > sorb# make distribution DESTDIR=$D > sorb# cat >> /etc/rc.conf > > jail_enable="YES" > jail_list="vm1" > jail_vm1_rootdir="/usr/jails/vm1" > jail_vm1_hostname="vm1.localdomain" > jail_vm1_ip="192.168.0.11" > jail_vm1_interface="lnc0" > jail_vm1_devfs_enable="YES" > jail_vm1_devfs_ruleset="vm1_ruleset" > > ^D > sorb#mount -t devfs devfs $D /dev > sorb# /etc/rc.d/jail start vm1 > Configuring jails:. > Starting jails:ifconfig: interface lnc0 does not exist > vm1.localdomain. > > See, I do not understand how this works. If I use a real physical > interface then it works: > > sorb# ifconfig > re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 > > options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC> > ether 00:1a:4d:7b:cf:d6 > inet X.X.X.X netmask 0xffffff00 broadcast X.X.X.255 > inet 192.168.0.11 netmask 0xffffffff broadcast 192.168.0.11 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active
I thought that your physical interface is the lnc0 on the host FreeBSD. The jail startup script doesn't create any interfaces itself. It uses any interface that extists in the host OS, and sets the ip address on it. So, you can use either re0 or lo0. > where X.X.X.X is my public internet IP address. But I do not like this. > I do not want to expose my jail's private IP address to the internet. Am > I too paranoid? Should I just add rules like > > ipfw add 1000 allow all from X.X.X.X to 192.168.0.11 > ipfw add 1001 allow all from 192.168.0.11 to X.X.X.X > ipfw add 1002 deny all from any to 192.168.0.11 > ipfw add 1003 deny all from 192.168.0.11 to any > > and be happy? Or would it be better to create a virtual ethernet > interface for my jails? Somehow? If you want to hide your jail then you can use the interface lo0. jail_vm1_interface="lo0" Suppose that your public ip address is 192.168.201.50. Then start the natd: # natd -a 192.168.201.50 and add to ipfw these divert rules: # ipfw add 10 divert natd all from any to 192.168.201.50 in # ipfw add 20 divert natd all from 192.168.0.11 to any out after that add to ipfw rules to allow the traffic diverted above or you can allow all for testing: # ipfw add 30 allow all from any to any Now your jail is hidden from the outer network. But inside the jail the network is working. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
