Jails and networks
Norman Gray
norman.gray at glasgow.ac.uk
Sun Aug 26 18:19:43 UTC 2018
Dave and other spectators, hello.
On 25 Aug 2018, at 16:21, Dave Cottlehuber wrote:
> Your jail needs to have some way to send & receive traffic via the
> host to the internet. Just adding a 192.168.0.0 address to the
> external
> igb0 interface will only work if the adjacent router allows that, and
> it almost certainly won't by default.
>
> This means you need either NAT or routing on your system to take
> care of this for you.
*sigh* this was the problem. The host is on a 172.16.0.0/12 private
network (which routes to the internet), the jails were on
192.168.0.0/16, and there was no routing between them. I added (the
commented equivalent of)
ext_if="igb0"
jail_if="lo1"
jail_net = $jail_if:network
internet = $ext_if:network
scrub in all
nat pass on $ext_if from $jail_net to any -> $internet
pass out
pass in
to /etc/pf.conf, and I can now happily route from the jail to the World
Wide Web of Wonderfulness.
----
This is of course fairly obvious in retrospect.
In production, these jails will have to talk only to the host (they'll
be Ceph nodes), but of course when experimenting, and when setting
things up, they'll have to be able to see further afield. I had the
endpoint (too) firmly in mind when I started on the sub-problem of
learning about jails, so I never reexamined the slightly unusual network
environment I had initially set up for myself.
Moral: when you cut down the problem to make it easier to understand,
make sure the sub-problem is actually simpler. Step further back.
In my original list post, I even said, apropos one of the most useful
resources I found, 'Now, I don't think I need pf in my situation, so I
want to skip that part of the instructions.' Did I mention: *sigh*?
Moral: when you skip part of the instructions, be _really_ clear why
they were there in the first place.
I have a clearer idea of jails+interfaces than I had: jails are much
less magical than I thought going in to this, and in particular the set
of interfaces in the jail is (roughly) merely a tweaked version of the
host's.
I confess I'm still unclear why I don't see a default route in `netstat
-rn` within the jail, and that `telnet www.gla.ac.uk 80` works but
`route get www.gla.ac.uk` claims there is no route. But perhaps I'll
leave that mystery for another day.
But at least I got to spend some quality time with Stevens' IP book, so
that was good.
Thanks again to all who gave advice, and best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK
More information about the freebsd-questions
mailing list