Re: jails and multple interfaces

On Wednesday 31 January 2007 11:40, Jeffrey Williams wrote:
Milan Obuch wrote:
On Wednesday 31 January 2007 11:06, Jeffrey Williams wrote:
Hi Folks,

I am trying to set a jail hosting server to support multiple jails for
development testing.

The server has two network interfaces, I am configuring one for host
server to use, and the other with several aliased IPs, one for each of
the jail servers.

All the services running on the host are configured to bind to the host
IP on the first interface.

...

Why are you doing this? Are your addresses from the same network segment?
I am binding my jail addresses to loopback interface and route them -
this way you could easily start take-over jail on another machine and
change routing table (or use dynamic routing) to minimize downtime on
hardware upgrades, big OS upgrades etc. I do not consider this the best
way, but it just satisfy my needs.
Regards,
Milan

I want to segregate the jail and jail host traffic on separate interfaces.


What do you mean with segregate? Why do you need them going through two
physical interfaces? Maybe I just can't see my nose between eyes, but I do
not understand the purpose of doing so.

How do you route traffic off you loopback interface? by definition, this
interface only allows the network stack to talk to itself?


There is nothing special there - my physical interface address is from one
segment, there is route added on upstream router for loopback bound
addresses. It is not true you are able to talk only to itself with loopback
address, it is true only for loopback address (127.0.0.1/8). All my tests
shows it works the way I want. Actually in jail you see only one IP address
on an interfaces, and regardless which one, all traffic from jailed process
uses this address as source address. Routing is done in host stack in any
case.

Regards,
Milan

--
This address is used only for mailing list response.
Do not send any personal messages to it, use milan in
address instead.
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Suggested filter rule for the flood of 2007-07-27 14:58 GMT (1)
    ... class discusss to their jail. ... and echos in support of the railway. ... interfaces will, picture, and extract. ... The trys, heels, and orchestras are all spatial and ...
    (sci.crypt)
  • Re: jails and multple interfaces
    ... The server has two network interfaces, I am configuring one for host ... the jail servers. ... All the services running on the host are configured to bind to the host ...
    (freebsd-stable)
  • jails and multple interfaces
    ... The server has two network interfaces, I am configuring one for host server to use, and the other with several aliased IPs, one for each of the jail servers. ...
    (freebsd-stable)
  • Re: Closing information leaks in jails?
    ... > restricted devfs in the jail (devfsrules_jail for example from ... but the primary IP address of the interfaces. ... > - some interesting information about the network related stuff via netstat ...
    (FreeBSD-Security)
  • Re: jails and multple interfaces
    ... The server has two network interfaces, I am configuring one for host ... All the services running on the host are configured to bind to the host ... I have the jail host's services all binding to the first interfaces ip, ...
    (freebsd-stable)