Does each jail need its own loopback or can they all share one?

puppyboy

Member

Reaction score: 4
Messages: 50

I thought this would be clearly spelled out somewhere but if it is I can't find it.

Under the ezjail section in the handbook it includes a couple parts about creating an extra loopback for a jail. First you create it with cloned_interfaces="lo1" in /etc/rc.conf, and then in the example jail it creates using that loopback: # ezjail-admin create [I]dnsjail[/I] '[I]lo1|127.0.1.1[/I],[I]em0[/I]|[I]192.168.1.50[/I]'



What I'm not clear on, is if every jail can use this same loopback, or if I need a new one for every new jail I create. I don't see it mentioned in the jail sections of the handbook so I'm asking you guys. Which is it?
 
OP
OP
puppyboy

puppyboy

Member

Reaction score: 4
Messages: 50

One for all is correct.
What about the loopback IP specified in the ezjail create command? Could the 127.0.1.1 address be used for every jail? Or does a different one need to be specified? If so, how should it be incremented? 127.0.1.2? or 127.0.2.1?
 

Remington

Well-Known Member

Reaction score: 146
Messages: 493

Loopback is only good if you want to use NAT and keep some jails separate from NIC. In my opinion, there is no benefit by using loopback interface since firewall can block jails with IP 192.168.1.50 from NIC as well. If your computer is behind a router with DHCP then there is no need for loopback. If your server is at a datacenter with only one IP address then loopback does make sense.
 

Remington

Well-Known Member

Reaction score: 146
Messages: 493

What about the loopback IP specified in the ezjail create command? Could the 127.0.1.1 address be used for every jail? Or does a different one need to be specified? If so, how should it be incremented? 127.0.1.2? or 127.0.2.1?
No its not required for every jail. It has to be in the same subnet so it would be 127.0.1.1, 127.0.1.2, 127.0.1.3
 

chrbr

Aspiring Daemon

Reaction score: 240
Messages: 670

What about the loopback IP specified in the ezjail create command? Could the 127.0.1.1 address be used for every jail?
127.0.1.1 for all jails is ok. Of course you can assign 192.168.1.51 and so on for the jails, too. Then the NIC can be addressed by the jails directly. I think this is the message of Remington. I use loopback that my jails can communicate with the base system directly via mail and so on.

For example one jail might be used for a web browser. Then you connect the jail to the NIC by assigning an address from the range of your base. Or you use communication via the loopback interface. Then it needs a proxy on the base system (what I do using privoxy listening at the loopback interface) or NAT.

I am not sure if a loopback interface is mandatory for a jail or not. In doubt follow Remington.
 

Remington

Well-Known Member

Reaction score: 146
Messages: 493

Loopback is not mandatory since you can assign 192.168.1.51, 192.168.1.52 and so on if you're behind a router or have multiple assigned static IP addresses provided by datacenter.
 
OP
OP
puppyboy

puppyboy

Member

Reaction score: 4
Messages: 50

Sounds like this is a topic that could merit its own page in the handbook.
Thanks for your answers. I think I see how I need to set things up.
 
Top