I do something similar, but I rely entirely on vnet and PF instead of
netgraph. My host has two ethernet ports, so I use one for the host
and one for all of the jails. That makes the pf setup easier. I use
iocage to configure an ordinary vnet jail, bridged to the host's
second ethernet port.
many good questions but looking at what you are doing, maybe we should
be asking you the questions.
Certainly firewalling on the outside of the jail makes sense. I've not
used ng_ipfw but it would make sense to do a quick santity check for
every packet leaving each jail.
On 14/2/17 9:47 am,
For several years I've been using netgraph to provide connectivity for
"service hosts" in jails on a "jail server"
Since I'm finally getting the jail server off FreeBSD 9 and solidly onto
11, I've got the chance to rewrite the scripting of how I'm handling
jail connectivity and am hoping that