Re: another jail question
On 3/24/07, Jonathan Horne <[EMAIL PROTECTED]> wrote: is there a way to configure a jail to use more than one ip address? in the same sense of configuring an alias ip for any other freebsd host? As others have posted, not without either doing IP address manipulation or using the patches available out there. In terms of working around the issue, I guess it depends on what you're trying to accomplish. In a situation where I wanted a jail host to have an internal private address and an external public address, the problem was solved by assigning the private address to the jail and then using a firewall to redirect connections destined to the public address in to the private address. I'll also add my voice to the recommendations to use ezjail -- it does all the heavy lifting for you. M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: another jail question
Wojciech Puchar wrote: is there a way to configure a jail to use more than one ip address? in the same sense of configuring an alias ip for any other freebsd host? IMHO not. Not entirely true apparently. see http://blog.cg.nu/?p=9 for details of someone who adapted PJD's patch for current to 6.1 (so presumably its adapatable for 6.2) Not something I've tried though. Vince ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: another jail question
is there a way to configure a jail to use more than one ip address? in the same sense of configuring an alias ip for any other freebsd host? IMHO not. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: another jail question
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-freebsd-
> [EMAIL PROTECTED] On Behalf Of Matthew Seaman
> Sent: Saturday, March 24, 2007 1:38 PM
> To: Jonathan Horne
> Cc: freebsd-questions@freebsd.org
> Subject: Re: another jail question
>
> Jonathan Horne wrote:
> > is there a way to configure a jail to use more than one ip address?
> > in the same sense of configuring an alias ip for any other freebsd
> > host?
>
> jail(8) only allows you one IP -- there are some patches around
> which will let you create jails with more IPs, and even better
> there's a clonable network stack under development -- meaning
> each jail can have it's own firewall instance etc. etc.
>
> However none of that is really ready for prime time usage just
> yet. In fact, that's all rather experimental at the moment and
> suitable only for gurus to play with.
>
> There is an alternative.
>
> You can achieve something like what you want with a bit of
> firewall trickery. Add an alias IP to the loopback interface --
> say 127.0.0.2
>
> :# ifconfig lo0
> lo0: flags=8049 mtu 16384
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> inet6 ::1 prefixlen 128
> inet 127.0.0.1 netmask 0xff00
> inet 127.0.0.2 netmask 0x
>
> Now create a jail using that IP. Something like this in
> /etc/rc.conf is what you'll need, plus following the instructions
> in jail(8) to create the filesystems in the jail:
>
> jail_enable="YES"
> jail_list="j1"
> jail_j1_hostname="j1.example.com"
> jail_j1_interface="lo0"
> jail_j1_mount_enable="YES"
> jail_j1_fstab="/etc/fstab.jail.j1"
> jail_j1_ip="127.0.0.2"
> jail_j1_rootdir="/jail/j1.example.com"
>
> Fire up whatever services you want inside your jail -- within it,
> you'll have to configure everything to bind to the jail IP
> 127.0.0.2 specifically, but that's just the way things are in jails
> even without this redirection trick.
>
> Now, configure the IPs on interfaces you want the outside world to
> see as belonging to your jail -- for illustrative purposes I'll
> choose 12.34.56.78 and 12.34.56.79 as example addresses to use for
> the jail. Then use firewall NAT functionality to redirect traffic
> into the jail. If you use pf (definitely recommended) then a
> snippet like the following should be useful in /etc/pf.conf:
>
> jail_int="127.0.0.2"
> jail_ext0="12.34.56.78"
> jail_ext1="12.34.56.79"
>
> # Outward connections from within the jail
> nat on $ext_if proto { tcp udp } \
> from $jail_int\
> to !$jail_int -> $jail_ext0 static-port
>
> # Incoming connections to the jail
> rdr on $ext_if proto tcp \
> from any \
> to { $jail_ext0 $jail_ext1 } port { 25 80 } -> $jail_int
>
> If you want to run multiple HTTPS v-hosts from within the jail
> you'll have to configure them to all run on distinct port numbers
> within apache, and use something like this to generate the mapping:
>
> rdr on $ext_if proto tcp \
> from any \
> to $jail_ext0 port 443 -> $jail_int port 8443
> rdr on $ext_if proto tcp \
> from any \
> to $jail_ext1 port 443 -> $jail_int port 9443
>
> This approach works pretty well for many protocols, but it does have
> the basic limitation that you can tell a priori from within the jail
> which external address the traffic went to. Either you've got to
> determine the answer by looking at the traffic payload (eg. HTTP has
> a header saying which v-host the request is for) or apply the sort of
> port remapping shown above.
>
> Cheers,
>
> Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
> Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
> Kent, CT11 9PW
You have a very interesting work around to the problem. I am using jails as
virtual servers and was wondering about the same thing myself. I will have to
try this. Thanks for the idea.
Rick Apichairuk
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: another jail question
Jonathan Horne wrote:
> is there a way to configure a jail to use more than one ip address?
> in the same sense of configuring an alias ip for any other freebsd
> host?
jail(8) only allows you one IP -- there are some patches around
which will let you create jails with more IPs, and even better
there's a clonable network stack under development -- meaning
each jail can have it's own firewall instance etc. etc.
However none of that is really ready for prime time usage just
yet. In fact, that's all rather experimental at the moment and
suitable only for gurus to play with.
There is an alternative.
You can achieve something like what you want with a bit of
firewall trickery. Add an alias IP to the loopback interface --
say 127.0.0.2
:# ifconfig lo0
lo0: flags=8049 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff00
inet 127.0.0.2 netmask 0x
Now create a jail using that IP. Something like this in
/etc/rc.conf is what you'll need, plus following the instructions
in jail(8) to create the filesystems in the jail:
jail_enable="YES"
jail_list="j1"
jail_j1_hostname="j1.example.com"
jail_j1_interface="lo0"
jail_j1_mount_enable="YES"
jail_j1_fstab="/etc/fstab.jail.j1"
jail_j1_ip="127.0.0.2"
jail_j1_rootdir="/jail/j1.example.com"
Fire up whatever services you want inside your jail -- within it,
you'll have to configure everything to bind to the jail IP
127.0.0.2 specifically, but that's just the way things are in jails
even without this redirection trick.
Now, configure the IPs on interfaces you want the outside world to
see as belonging to your jail -- for illustrative purposes I'll
choose 12.34.56.78 and 12.34.56.79 as example addresses to use for
the jail. Then use firewall NAT functionality to redirect traffic
into the jail. If you use pf (definitely recommended) then a
snippet like the following should be useful in /etc/pf.conf:
jail_int="127.0.0.2"
jail_ext0="12.34.56.78"
jail_ext1="12.34.56.79"
# Outward connections from within the jail
nat on $ext_if proto { tcp udp } \
from $jail_int\
to !$jail_int -> $jail_ext0 static-port
# Incoming connections to the jail
rdr on $ext_if proto tcp \
from any \
to { $jail_ext0 $jail_ext1 } port { 25 80 } -> $jail_int
If you want to run multiple HTTPS v-hosts from within the jail
you'll have to configure them to all run on distinct port numbers
within apache, and use something like this to generate the mapping:
rdr on $ext_if proto tcp \
from any \
to $jail_ext0 port 443 -> $jail_int port 8443
rdr on $ext_if proto tcp \
from any \
to $jail_ext1 port 443 -> $jail_int port 9443
This approach works pretty well for many protocols, but it does have
the basic limitation that you can tell a priori from within the jail
which external address the traffic went to. Either you've got to
determine the answer by looking at the traffic payload (eg. HTTP has
a header saying which v-host the request is for) or apply the sort of
port remapping shown above.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
Re: Another Jail Question
On Wed, Dec 04, 2002 at 03:47:10PM -0400, "Marc G. Fournier" <[EMAIL PROTECTED]> wrote: > > Hardly any traffic... it's an internal dev machine hit by about 10 > > people... > > 101 Jails: > > last pid: 13467; load averages: 21.09, 13.50, 19.54up 17+12:23:50 13:43:55 > 1576 processes:4 running, 1572 sleeping > CPU states: 59.0% user, 0.0% nice, 9.0% system, 0.0% interrupt, 32.1% idle > Mem: 2553M Active, 649M Inact, 474M Wired, 157M Cache, 199M Buf, 9120K Free > Swap: 3072M Total, 184M Used, 2888M Free, 5% Inuse > > I think I peaked that machine around 196 jails at one point, before we picked > up a second server as well as before we were able to do multiple domains > per VM cleaner then one jail each ... > > the load average is mis-leading, as I've seen it hit as high as 1000 and still > allow me to type on the machine, in order to rectify the problem process(es) ... > > God, I love FreeBSD :) Sounds like really good -advocacy material :-) The guys over there will happily morph it into big marketing buzz, I'm sure :) -- Vallo Kallaste [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: > Any idea when it will be merged into the main code base ? > i tend to stay away from development branches.. not sure, I believe not until 2.2 is fully released ... since I'm one of the ones that pushed for it to happen, I kinda had to be one of those willing to pound it too :) > that being said, why the hell am i running apache2.. who knows. Actually, Apache2 has some nice features, but the PHP4 guys are having too much of a time keeping themselves in sync, we haven't fully deployed it ... she stable, but don't expect to upgrade when they release new versions, since chances are your PHP4 will be broken for awhile :( To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
Any idea when it will be merged into the main code base ? i tend to stay away from development branches.. that being said, why the hell am i running apache2.. who knows. Jeff. > -Original Message- > From: Marc G. Fournier [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 04, 2002 2:43 PM > To: Jeff MacDonald > Cc: Alex Hayward; [EMAIL PROTECTED] > Subject: RE: Another Jail Question > > > On Wed, 4 Dec 2002, Jeff MacDonald wrote: > > > wow, the sieve filtering really turns me on [yuck i know]. > > > > currently with qmail/vpopmail i've not found a really great > > way to do filtering of things like mailing lists. TMDA does > > anti spam, but i want more. > > > > does teh cyrus admin have a series of commands for making > > new virtual domains, or is it a matter of know what direcotires > > to make.. etc ? > > mkimap > > you have to get a special branch of cyrus, since the code hasn't been > merged into the main tree yet: > > sun# cvs status README > === > File: READMEStatus: Up-to-date > >Working revision:1.10 >Repository revision: 1.10/cvs/src/cyrus/README,v >Sticky Tag: cyrus-imapd-2_2 (branch: 1.10.4) >Sticky Date: (none) >Sticky Options: (none) > > > > > > jeff. > > > > > -Original Message- > > > From: Marc G. Fournier [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, December 04, 2002 1:33 PM > > > To: Jeff MacDonald > > > Cc: Alex Hayward; [EMAIL PROTECTED] > > > Subject: RE: Another Jail Question > > > > > > > > > On Wed, 4 Dec 2002, Jeff MacDonald wrote: > > > > > > > I run qmail, cause combined with vpopmail, it kicks ass for virtual > > > > domains. > > > > > > Postfix with CyrusIMAPd v2.2, cause, well, Cyrus IMAPd is > just in a class > > > all its own :) > > > > > > Note that CyrusIMAPd was extended several months back to do > full virtual > > > domain under a single IP hosting ... eachdomain has its own admin, own > > > sieve filtering, own name space, etc ... and configuration is > as simple as > > > "create new directory structure for new domain", so no configfiles to > > > modify ... > > > > > > > > > > > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
On Wed, 4 Dec 2002, Philip Hallstrom wrote: > > > > server is a dual PII 300 with 512 megs of ram, this should be fine > > > > to handle 2 jails, right ? > > > > > > unless you start gettinjg into high memory circumstances (ie. > > > jakarta-tomcat is a major dog for memory), 2 wouldn't be a problem ... > > Just for comparison... > > I'm running four jails - apache/php on all, mysql on one, and postgres > on the host on a 700Mhz, 512mb ram, 2x9gb scsi drives. > > Top says: > > last pid: 86606; load averages: 0.00, 0.02, 0.00up 53+20:08:57 >10:48:36 > 93 processes: 1 running, 92 sleeping > CPU states: 1.9% user, 0.0% nice, 2.6% system, 0.0% interrupt, 95.5% idle > Mem: 203M Active, 173M Inact, 90M Wired, 27M Cache, 61M Buf, 7856K Free > Swap: 512M Total, 756K Used, 511M Free > > Hardly any traffic... it's an internal dev machine hit by about 10 > people... 101 Jails: last pid: 13467; load averages: 21.09, 13.50, 19.54up 17+12:23:50 13:43:55 1576 processes:4 running, 1572 sleeping CPU states: 59.0% user, 0.0% nice, 9.0% system, 0.0% interrupt, 32.1% idle Mem: 2553M Active, 649M Inact, 474M Wired, 157M Cache, 199M Buf, 9120K Free Swap: 3072M Total, 184M Used, 2888M Free, 5% Inuse I think I peaked that machine around 196 jails at one point, before we picked up a second server as well as before we were able to do multiple domains per VM cleaner then one jail each ... the load average is mis-leading, as I've seen it hit as high as 1000 and still allow me to type on the machine, in order to rectify the problem process(es) ... God, I love FreeBSD :) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: > wow, the sieve filtering really turns me on [yuck i know]. > > currently with qmail/vpopmail i've not found a really great > way to do filtering of things like mailing lists. TMDA does > anti spam, but i want more. > > does teh cyrus admin have a series of commands for making > new virtual domains, or is it a matter of know what direcotires > to make.. etc ? mkimap you have to get a special branch of cyrus, since the code hasn't been merged into the main tree yet: sun# cvs status README === File: READMEStatus: Up-to-date Working revision:1.10 Repository revision: 1.10/cvs/src/cyrus/README,v Sticky Tag: cyrus-imapd-2_2 (branch: 1.10.4) Sticky Date: (none) Sticky Options: (none) > > jeff. > > > -Original Message- > > From: Marc G. Fournier [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, December 04, 2002 1:33 PM > > To: Jeff MacDonald > > Cc: Alex Hayward; [EMAIL PROTECTED] > > Subject: RE: Another Jail Question > > > > > > On Wed, 4 Dec 2002, Jeff MacDonald wrote: > > > > > I run qmail, cause combined with vpopmail, it kicks ass for virtual > > > domains. > > > > Postfix with CyrusIMAPd v2.2, cause, well, Cyrus IMAPd is just in a class > > all its own :) > > > > Note that CyrusIMAPd was extended several months back to do full virtual > > domain under a single IP hosting ... eachdomain has its own admin, own > > sieve filtering, own name space, etc ... and configuration is as simple as > > "create new directory structure for new domain", so no configfiles to > > modify ... > > > > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
> > > server is a dual PII 300 with 512 megs of ram, this should be fine > > > to handle 2 jails, right ? > > > > unless you start gettinjg into high memory circumstances (ie. > > jakarta-tomcat is a major dog for memory), 2 wouldn't be a problem ... Just for comparison... I'm running four jails - apache/php on all, mysql on one, and postgres on the host on a 700Mhz, 512mb ram, 2x9gb scsi drives. Top says: last pid: 86606; load averages: 0.00, 0.02, 0.00up 53+20:08:57 10:48:36 93 processes: 1 running, 92 sleeping CPU states: 1.9% user, 0.0% nice, 2.6% system, 0.0% interrupt, 95.5% idle Mem: 203M Active, 173M Inact, 90M Wired, 27M Cache, 61M Buf, 7856K Free Swap: 512M Total, 756K Used, 511M Free Hardly any traffic... it's an internal dev machine hit by about 10 people... -philip To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
wow, the sieve filtering really turns me on [yuck i know]. currently with qmail/vpopmail i've not found a really great way to do filtering of things like mailing lists. TMDA does anti spam, but i want more. does teh cyrus admin have a series of commands for making new virtual domains, or is it a matter of know what direcotires to make.. etc ? jeff. > -Original Message- > From: Marc G. Fournier [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 04, 2002 1:33 PM > To: Jeff MacDonald > Cc: Alex Hayward; [EMAIL PROTECTED] > Subject: RE: Another Jail Question > > > On Wed, 4 Dec 2002, Jeff MacDonald wrote: > > > I run qmail, cause combined with vpopmail, it kicks ass for virtual > > domains. > > Postfix with CyrusIMAPd v2.2, cause, well, Cyrus IMAPd is just in a class > all its own :) > > Note that CyrusIMAPd was extended several months back to do full virtual > domain under a single IP hosting ... eachdomain has its own admin, own > sieve filtering, own name space, etc ... and configuration is as simple as > "create new directory structure for new domain", so no configfiles to > modify ... > > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: > I run qmail, cause combined with vpopmail, it kicks ass for virtual > domains. Postfix with CyrusIMAPd v2.2, cause, well, Cyrus IMAPd is just in a class all its own :) Note that CyrusIMAPd was extended several months back to do full virtual domain under a single IP hosting ... eachdomain has its own admin, own sieve filtering, own name space, etc ... and configuration is as simple as "create new directory structure for new domain", so no configfiles to modify ... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
> Note that the 'security risk' is more based on the trust level you have > for your users ... if its just you, or you and a few friends, you > shouldn't have an issue with it ... the one issue you will have with > shared memory and jails is that I *believe* that Apache2 requires shared > memory to work, so if you decide to start working with that, you have to > open it up anyway ... hrmm yeah, i do run apache 2 currently, so i guess it does need to be opened up. > processes inside of the jail only *see* the one IP, so binding to > ADDR_IANY will only see the one IP to bind to ... > > One thing to note when you are setting things up ... if you are using > sendmail, make sure you sent DontProbeInterfaces to True (Default is > false), else you get some weird results when not all jails are up and > running ... Sendmail == torture :) I run qmail, cause combined with vpopmail, it kicks ass for virtual domains. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
ha ! ;) it's a sparc classic, 50mhz proc, 64 ram, 2 gig scsi drive. it's got 2 nics, so it's perfect for a house natd box, and that's about it. > -Original Message- > From: Marc G. Fournier [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 04, 2002 12:15 PM > To: Jeff MacDonald > Cc: [EMAIL PROTECTED] > Subject: RE: Another Jail Question > > > On Wed, 4 Dec 2002, Jeff MacDonald wrote: > > > Yeah, i think i'll go the safe route and keep away from shared memory as > > such will likly run it on the host. > > not sure what your sparc is, but you might look at putting postgresql over > there, which might allow you to create a larger cache buffer ... at the > University, our firewall logs to PostgreSQL, and has a 1gig cache buffer > to handle it, but it all depends on what you are doing with the database > ... > > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: > Yeah, i think i'll go the safe route and keep away from shared memory as > such will likly run it on the host. not sure what your sparc is, but you might look at putting postgresql over there, which might allow you to create a larger cache buffer ... at the University, our firewall logs to PostgreSQL, and has a 1gig cache buffer to handle it, but it all depends on what you are doing with the database ... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: > > You can run PostgreSQL in a jail - though you do need to turn the > > jail.sysvipc_allowed sysctl on first. You can also run it in the host > > environment and talk via TCP if you wish. > > some folks have said this is a security risk, as the shared mem is not > "per jail" Note that the 'security risk' is more based on the trust level you have for your users ... if its just you, or you and a few friends, you shouldn't have an issue with it ... the one issue you will have with shared memory and jails is that I *believe* that Apache2 requires shared memory to work, so if you decide to start working with that, you have to open it up anyway ... > The machine hardly has any load on it now, but i'd effectivly be going from > running 1 instance of fbsd to 3. figure on ~20 or so processes extra per instance ... about the only major difference between runnig a process in a jail vs outside ... if you look at /proc/*/status, you will see that the processes are 'tag'd so that ps knows whether which processes to list ... beyond that, from what I've been able to determine, the changes are in how a socket is bound ... for instance, normally when you run inetd, it binds to ADDR_IANY(?), whereas when yousetu pa server for ajail'd env, you bind inetd to a specific IP so that the other ones are more or less 'dangling' until you bind somethingto them... processes inside of the jail only *see* the one IP, so binding to ADDR_IANY will only see the one IP to bind to ... One thing to note when you are setting things up ... if you are using sendmail, make sure you sent DontProbeInterfaces to True (Default is false), else you get some weird results when not all jails are up and running ... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
> Jeff, check with Chris on this, as I believe he's actually running a game > server inside of one of his jails, with his machine running off of the one > IP ... in fact, and I may be wrong about this, but you *should* be able to > avoid the other machine altogether and use IPFW for this, as I *believe* I'm just gonna use my sparc as a firewall and then deligate ip's. It's been my plan to use it for a while as a dedicated firewall anyway. > Actually, you *can* run PgSQL inside of the jail ... the issue is that > there are security implications of doing that ... the shared memory isn't > "per jail", so someone in another jail could attach to the shared memory > in another jail ... by default, shared memory access is disabled inside a > jail, but there is a sysctl value you can set to enable it ... Yeah, i think i'll go the safe route and keep away from shared memory as such will likly run it on the host. > > server is a dual PII 300 with 512 megs of ram, this should be fine > > to handle 2 jails, right ? > > unless you start gettinjg into high memory circumstances (ie. > jakarta-tomcat is a major dog for memory), 2 wouldn't be a problem ... cool thanks. Jeff. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
Hi, I run proftpd which aready allows jailed processes in a matter of speaking that is, it chroots particular users. but i have a spare sparc laying here, that is gonna do nat just fine, so i might as well use it as a dedicated firewall as well. jeff. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > Behalf Of Dan Pelleg > Sent: Wednesday, December 04, 2002 11:08 AM > To: Jeff MacDonald > Cc: [EMAIL PROTECTED] > Subject: Re: Another Jail Question > > > "Jeff MacDonald" <[EMAIL PROTECTED]> writes: > > > Hi, > > > > I have been thinking about running 2 jails on my home server > > one for "work sensitive" data, the other for personal fun stuff. > > > > However i only have 1 ip at my house [static]. > > > > Could i take the server taht will have jails on it, put it behind > > a natd box so it has 2 ip's [192.168.0.1 and .2] and just make > > the nat box, forward packets to teh appropriate jail based upon > > what port they come in on ? > > > > Yes, and you don't even need a separate box to do NAT - the jail host can > do it by itself. Here's a how-to for a jailed FTP process configured like > this: > > http://ezine.daemonnews.org/200212/ftpjail.html > > -- > > Dan Pelleg > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Another Jail Question
> Yes. Or you could just run both jails on the same IP address. yeah, a few people have said this but i have a spare sparc laying around to do natd avec openbsd, so i may as well put it to good use ;) > You can run PostgreSQL in a jail - though you do need to turn the > jail.sysvipc_allowed sysctl on first. You can also run it in the host > environment and talk via TCP if you wish. some folks have said this is a security risk, as the shared mem is not "per jail" > > server is a dual PII 300 with 512 megs of ram, this should be fine > > to handle 2 jails, right ? > > That depends what you run in them :-) The machine hardly has any load on it now, but i'd effectivly be going from running 1 instance of fbsd to 3. Jeff. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Another Jail Question
"Jeff MacDonald" <[EMAIL PROTECTED]> writes: > Hi, > > I have been thinking about running 2 jails on my home server > one for "work sensitive" data, the other for personal fun stuff. > > However i only have 1 ip at my house [static]. > > Could i take the server taht will have jails on it, put it behind > a natd box so it has 2 ip's [192.168.0.1 and .2] and just make > the nat box, forward packets to teh appropriate jail based upon > what port they come in on ? > Yes, and you don't even need a separate box to do NAT - the jail host can do it by itself. Here's a how-to for a jailed FTP process configured like this: http://ezine.daemonnews.org/200212/ftpjail.html -- Dan Pelleg To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: > Hi, > > I have been thinking about running 2 jails on my home server > one for "work sensitive" data, the other for personal fun stuff. > > However i only have 1 ip at my house [static]. > > Could i take the server taht will have jails on it, put it behind > a natd box so it has 2 ip's [192.168.0.1 and .2] and just make > the nat box, forward packets to teh appropriate jail based upon > what port they come in on ? Jeff, check with Chris on this, as I believe he's actually running a game server inside of one of his jails, with his machine running off of the one IP ... in fact, and I may be wrong about this, but you *should* be able to avoid the other machine altogether and use IPFW for this, as I *believe* (haven't played with it yet) IPFW has a redirect facility that might do it for you ... so you'd have use dummynet to create a 'fake ethernet' for the 192.168.0.* address(es) for the jail's to bind on ... > also, if i have host machine with 2 jails in it, i know i can't run > PostgreSQL in the jails, can i run it on the host environment and make > the jails access it via TCP ? Actually, you *can* run PgSQL inside of the jail ... the issue is that there are security implications of doing that ... the shared memory isn't "per jail", so someone in another jail could attach to the shared memory in another jail ... by default, shared memory access is disabled inside a jail, but there is a sysctl value you can set to enable it ... but, yes, you can access the server via tcp at the host level as well ... > server is a dual PII 300 with 512 megs of ram, this should be fine > to handle 2 jails, right ? unless you start gettinjg into high memory circumstances (ie. jakarta-tomcat is a major dog for memory), 2 wouldn't be a problem ... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: > Hi, > > I have been thinking about running 2 jails on my home server > one for "work sensitive" data, the other for personal fun stuff. > > However i only have 1 ip at my house [static]. > > Could i take the server taht will have jails on it, put it behind > a natd box so it has 2 ip's [192.168.0.1 and .2] and just make > the nat box, forward packets to teh appropriate jail based upon > what port they come in on ? Yes. Or you could just run both jails on the same IP address. > also, if i have host machine with 2 jails in it, i know i can't > run PostgreSQL in the jails, can i run it on the host environment > and make the jails access it via TCP ? You can run PostgreSQL in a jail - though you do need to turn the jail.sysvipc_allowed sysctl on first. You can also run it in the host environment and talk via TCP if you wish. > server is a dual PII 300 with 512 megs of ram, this should be fine > to handle 2 jails, right ? That depends what you run in them :-) I don't think there's any remotely significant overhead in having a process run in a jail compared to having one run outside a jail. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Another Jail Question
At 2002-12-04T14:27:33Z, "Jeff MacDonald" <[EMAIL PROTECTED]> writes: > Could i take the server taht will have jails on it, put it behind a natd > box so it has 2 ip's [192.168.0.1 and .2] and just make the nat box, > forward packets to teh appropriate jail based upon what port they come in > on ? Yep. > also, if i have host machine with 2 jails in it, i know i can't run > PostgreSQL in the jails, can i run it on the host environment and make the > jails access it via TCP ? Yep. > server is a dual PII 300 with 512 megs of ram, this should be fine to > handle 2 jails, right ? Yep. You should be able to do what you're asking without any trouble. -- Kirk Strauser In Googlis non est, ergo non est. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Another Jail Question
On Wed, Dec 04, 2002 at 09:27:33AM -0500, Jeff MacDonald typed: > Hi, > > I have been thinking about running 2 jails on my home server > one for "work sensitive" data, the other for personal fun stuff. > > However i only have 1 ip at my house [static]. > > Could i take the server taht will have jails on it, put it behind > a natd box so it has 2 ip's [192.168.0.1 and .2] and just make > the nat box, forward packets to teh appropriate jail based upon > what port they come in on ? Alternatively, you can run both jails on the same IP address. As long each jail uses different portnumbers there will be no conflicts. > > also, if i have host machine with 2 jails in it, i know i can't > run PostgreSQL in the jails, can i run it on the host environment > and make the jails access it via TCP ? > > server is a dual PII 300 with 512 megs of ram, this should be fine > to handle 2 jails, right ? > > thanks. > > jeff. > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
