When reading the release notes for 11.1-RELEASE, I noticed this new change:
I like to dedicate entire NICs to a single jail by using multiple routing tables (fibs), and in case anybody else is doing that and would like dedicated loopback interfaces in their jails (Given the change to the jail sub-system in 11.1-RELEASE), this is how I made it work.
My motivation for doing this was to avoid having php-fpm exposed on my jail's network-facing IP-address. When installed via pkg(), the daemon is configured to use TCP by default and to listen on 127.0.0.1. As I see/understand it, this presents a potential security hazard if a jail has only a single LAN-facing IP-address assigned as all activity to the loopback address would be re-mapped to that LAN-facing IP-address by the kernel, and thus exposing the daemons listening to 127.0.0.1 on the network. This, of course, is less on an issue if running pf(), but in my gut its still a potential problem. I could imagine this being a similar case with MariaDB etc.
While tinkering with this, I found that I was getting errors like the following (I used the jail's sshd as a test):
One thing that tripped me up was, as I discovered, that the loopback interfaces for the jails must be configured to use the same fib as the jail in general and its network-facing interface/IP-address.
In this example, I am adding dedicated loopback devices for two jails:
In rc.conf, add the following:
The full setup looks something like this:
After defining these static routes for the fibs, you need to adjust jail.conf() to assign IP-addresses to the jail on both the loopback interfaces and the NICs. For each jail, replace your existing ipv4.addr line with the following:
For me, jail1 would look like the following:
Also, if you're using pf() make sure to skip filtering on all the loopback devices:
Finally, edit the jail's hosts file to reflect that it now has its own dedicated loopback address:
You may need to reboot to apply these changes properly.
Having spent hours working this out, I hope this was useful to somebody out there.
I like to dedicate entire NICs to a single jail by using multiple routing tables (fibs), and in case anybody else is doing that and would like dedicated loopback interfaces in their jails (Given the change to the jail sub-system in 11.1-RELEASE), this is how I made it work.
My motivation for doing this was to avoid having php-fpm exposed on my jail's network-facing IP-address. When installed via pkg(), the daemon is configured to use TCP by default and to listen on 127.0.0.1. As I see/understand it, this presents a potential security hazard if a jail has only a single LAN-facing IP-address assigned as all activity to the loopback address would be re-mapped to that LAN-facing IP-address by the kernel, and thus exposing the daemons listening to 127.0.0.1 on the network. This, of course, is less on an issue if running pf(), but in my gut its still a potential problem. I could imagine this being a similar case with MariaDB etc.
While tinkering with this, I found that I was getting errors like the following (I used the jail's sshd as a test):
Code:
# ssh 127.0.1.1
ssh: connect to host 127.0.1.1 port 22: Can't assign requested address
# ssh localhost
socket: Protocol not supported
ssh: connect to host localhost port 22: Protocol not supported
One thing that tripped me up was, as I discovered, that the loopback interfaces for the jails must be configured to use the same fib as the jail in general and its network-facing interface/IP-address.
In this example, I am adding dedicated loopback devices for two jails:
In rc.conf, add the following:
Code:
cloned_interfaces="lo1 lo2"
static_routes="jail1_lo jail2_lo"
route_jail1_lo="-net 127.0.1.0/8 -iface lo1 -fib 1"
route_jail2_lo="-net 127.0.2.0/8 -iface lo2 -fib 2"
The full setup looks something like this:
Code:
cloned_interfaces="lo1 lo2"
static_routes="jail1_lo jail2_lo dmz1_if dmz1_gw dmz2_if dmz2_gw"
route_jail1_lo="-net 127.0.1.0/8 -iface lo1 -fib 1"
route_jail2_lo="-net 127.0.2.0/8 -iface lo2 -fib 2"
route_dmz1_if="-net 10.0.2.0/24 -iface igb1 -fib 1"
route_dmz1_gw="default 10.0.2.1 -fib 1"
route_dmz2_if="-net 10.0.3.0/24 -iface igb2 -fib 2"
route_dmz2_gw="default 10.0.3.1 -fib 2"
After defining these static routes for the fibs, you need to adjust jail.conf() to assign IP-addresses to the jail on both the loopback interfaces and the NICs. For each jail, replace your existing ipv4.addr line with the following:
Code:
ip4.addr = "lo1|127.0.1.1/8", "igb1|10.0.2.5/24";
For me, jail1 would look like the following:
Code:
jail1 {
path = "/jails/jail1";
mount.fstab = "/etc/fstab.jail1";
host.hostname = "jail1.myserver.dk";
exec.fib = "1";
ip4.addr = "lo1|127.0.1.1/8", "igb1|10.0.2.5/24";
}
Also, if you're using pf() make sure to skip filtering on all the loopback devices:
Code:
set skip on lo0
set skip on lo1
set skip on lo2
Finally, edit the jail's hosts file to reflect that it now has its own dedicated loopback address:
Code:
127.0.1.1 localhost localhost.mydomain
You may need to reboot to apply these changes properly.
Having spent hours working this out, I hope this was useful to somebody out there.