concern about jails on loopback interface

K

kriscom

Hi,

im playing around with jails.

The first thing I did was to setup some jails attached to aliases on a real network interface(not loopback). Everything was working fine, I could connect from a jail on one machine to a service running withing a jail on another machine. I can manage the configuration steeps needed to achieve that.

What I disliked about it was, that I had to mount /dev/mem and /dev/kmem within jails, to enable routing. And I guess that could be one of the reasons why people do use NAT for jails.

So now Im trying to setup some jails with NAT. Therefore I use aliases on the loopback interface. Im able to connect from one jail to a service running in another jail on the same machine. That works even without NAT, just by using the assigned (loopback) aliases.

Now I was into setup natd+ipfw. Lets try first with the outgoing traffic. For what I have read about jails and NAT, I understand that the main issue is to translate the network address through natd which is called by ipfw. I was playing around and I did tcdump on both the rl0 and the lo0 interfaces. All outgoing traffic occures only in the lo0 tcpdump and I am asking myself what I need to do to make it visible on the rl0 interface.

Should I not use lo0 for jails at all, but rl0 instead with some "loopback alike IP" aliases?

Thanks in advance!
 
kriscom said:
What I disliked about it was, that I had to mount /dev/mem and /dev/kmem within jails, to enable routing. And I guess that could be one of the reasons why people do use NAT for jails.
Click to expand...
Routing should be configured on the host, not the jail. Same for NAT'ing a lo0 clone.
 
What I meant by saying "to enable routing" was... without binding /dev/mem and /dev/kmem network was not working.

Without mounting them I cannot even telnet to my host from within a jail and I got no clue why.

/etc/rc.conf
Code: 
ifconfig_rl0="inet 192.168.2.4 netmask 255.255.255.0"
defaultrouter="192.168.2.1"
...
ifconfig_rl0_alias0="inet 192.168.2.10 netmask 255.255.255.255"
...
jail_test1_ip="192.168.2.10"

netstat -r
Code: 
Destination        Gateway            Flags    Refs      Use  Netif Expire
localhost          localhost          UH          0        0    lo0
192.168.2.0        link#1             UC          0        0    rl0
192.168.2.1        some mac           UHLW        1       29    rl0    396
192.168.2.3        some mac           UHLW        1       85    rl0   1167
192.168.2.4        some mac           UHLW        1        1    lo0
192.168.2.10       some mac           UHLW        1       68    lo0 =>
192.168.2.10/32    link#1             UC          0        0    rl0

From within a jail I get
Code: 
test1# telnet 192.168.2.4 25
Trying 192.168.2.4...
telnet: connect to address 192.168.2.4: Connection refused
telnet: Unable to connect to remote host
for the host machine (lo0)

and
Code: 
test1# telnet 192.168.2.3 25
Trying 192.168.2.3...
telnet: connect to address 192.168.2.3: Operation timed out
telnet: Unable to connect to remote host
for a machine on the network (rl0)

Is there something wrong with the routes?
 
Shame on me!

It was a firewall on my proxy running on another machine...

It helped me to write my problem down...

Thanks and sorry...
 
kriscom said:
What I meant by saying "to enable routing" was... without binding /dev/mem and /dev/kmem network was not working.
Click to expand...
These shouldn't be needed and should be removed too. Allowing access to those devices could potentially be a security risk as applications will have access to the entire (physical) memory, including the memory used by the host and other jails.
 
You must log in or register to reply here.
Back
Top