different default gateway for jails planed/possible?

From: Emanuel Strobl (Emanuel.strobl_at_gmx.net)
Date: 05/31/05

  • Next message: Andrew Thompson: "RFC: if_bridge" 
    To: freebsd-current@freebsd.org
Date: Tue, 31 May 2005 00:14:39 +0200

    Dear all,

    will it be possible to define a different default gateway for a jail?
    Imagine a system with two interfaces, one for the host on a local GbE
    Switch (with NFS service) and the other one connected to a different
    DMZ-Switch which should serve different jails.
    Now the DMZ is useless since anybody who broke into one jail can reach all
    hosts on the "host" interface without having the possibillity to restrict
    traffic on the router since the packets go straight to the GbE interface.
    This is a big security disadvantage and if I block these packets I can't
    any longer connect from machines inside the GbE network to the jails in
    the DMZ. The request will be routed but answers go down the "host"
    interface, instead to the DMZ router interface. Even a different default
    gateway wouldn't help in this case, the kernel had to "keep in mind" that
    packets from a jail mustn't be forwarded through any jail-foreign
    interface. Also the usual routing table had to be overwritten since
    packets from a jail should go over the router to the GbE network (although
    there is a well known route, the interface which has the GbE net
    configured).
    But at least packets from a jail should be limited that they can't pass any
    other interface(s) than the one(s) which belong to the particular jail.
    I think PFs route-to next-hop rule would be a workarround for my problem
    but I'm not too happy to have PF on a GbE Fileserver.

    Another jail question: Is it possible to limit resources on jail-basis?
    Like resource restrictions for useres in login.conf only for whole jails.

    Thanks a lot,

    -Harry

  • Next message: Andrew Thompson: "RFC: if_bridge"

    Relevant Pages

    • Jails - Pseudo Interfaces/ Virtual Networks - Best Practices?
      ... I'm in the process of planning a transition from VMWare (on CentOS host) hosting service-specific FreeBSD virtual machines to the seemingly more efficient, stable, and lower maintenance cost approach, now that I've figured out at least some of the "magic" of creating jails under FreeBSD. ... The questions generally relate to being able to consistently identify traffic from/to the jails, inside and outside the jail host, with tools such as ipfw and tcpdump. ... With VMWare, I was used to being able to create a pseudo-interface that could be "wired" to a virtual "switch" and then that switch could be bridged to a physical interface. ... Here DNS needs to be run for the host itself only, to be able to start up NTP and allow ssh connections for management over the "protected" interface. ...
      (freebsd-questions)
    • Re: different default gateway for jails planed/possible?
      ... > Now the DMZ is useless since anybody who broke into one jail can reach all ... > traffic on the router since the packets go straight to the GbE interface. ...
      (freebsd-current)
    • Re: jailed "system" needs IPV4 access
      ... >> I made a jail for a domain I host, according to the man page for jail. ... > Is it bound to a public IP on a real interface, ... > All my jails typically run on aliases off the loopback interface, ... The host has one real hardware network interface. ...
      (comp.unix.bsd.freebsd.misc)
    • Re: different default gateway for jails planed/possible?
      ... >>Now the DMZ is useless since anybody who broke into one jail can reach all ... >>traffic on the router since the packets go straight to the GbE interface. ...
      (freebsd-current)
    • Re: quick question regarding jails.
      ... is it possible to stick a jail on the machine ... listening on one network interface and routing data out one ... you can configure daemons running on the host to bind to one ...
      (freebsd-questions)