vnet jail for local only or public access
Ernie Luzar
luzar722 at gmail.com
Fri Jul 17 20:31:55 UTC 2020
Alexander Leidinger wrote:
> Quoting Ernie Luzar <luzar722 at gmail.com> (from Fri, 17 Jul 2020 08:46:07
> -0400):
>
>> Trying to figure out how to configure a vnet jail so it is restricted
>> to only being able to talk to other vnet jails on the same host IE:
>> local only vnet jails. As different to being able to access the public
>> internet type of vnet jails.
>>
>> Using the bridge/epair method of connecting vnet jails to the host.
>> [ based on this how-to ]
>> https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071/
>>
>>
>> It's my understanding that this behavior is controlled by if the hosts
>> interface connected to the public internet is added as a member to the
>> bridge the vnet jails epairXa interfaces were members of.
>
> Partly correct. You can also have a setup where your host is routing
> between what you call the public internet and the local only vnets.
>
>> I tested this on a remote vm and found that it made no difference one
>> way or the other if the hosts interface connected to the public
>> internet was added as a member to the bridge or not. In both cases the
>> vnet jail had public internet access.
>
> It shouldn't, if there is no routing involved.
>
> Please show us "ifconfig -a" and "netstat -rn" of the host.
>
> Bye,
> Alexander.
>
root >netstat -rn4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 65.25.48.1 UGS re0
10.0.0.0/8 link#1 U em0
10.0.10.2 link#1 UHS lo0
10.0.20.0/24 link#5 U bridge10
10.0.20.2 link#5 UHS lo0
xxx.25.48.0/20 link#2 U re0
xxx.25.51.0 link#2 UHS lo0
127.0.0.1 link#3 UH lo0
/root >
/root >ifconfig -a
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER>
ether d0:50:99:93:75:98
inet 10.0.10.2 netmask 0xff000000 broadcast 10.255.255.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether 50:3e:aa:06:11:22
inet xxx.25.51.0 netmask 0xfffff000 broadcast 255.255.255.255
media: Ethernet autoselect (1000baseT <full-duplex,master>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
mtu 1500
description: qjail-vnet-jail-only-bridge
ether 02:3e:ba:a7:58:0a
inet 10.0.20.2 netmask 0xffffff00 broadcast 255.255.255.0
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair4a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 6 priority 128 path cost 2000
groups: bridge
nd6 options=1<PERFORMNUD>
epair4a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
description: qjail-vnet-jail-dir10
options=8<VLAN_MTU>
ether 02:f6:61:9a:b4:0a
inet6 fe80::f6:61ff:fe9a:b40a%epair4a prefixlen 64 scopeid 0x6
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Vnet jail can ping the public internet.
More information about the freebsd-jail
mailing list