• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

IPFW, Jail and network alias

kazix

Member

Thanks: 1
Messages: 26

#1
Hello,

I'm trying to configure IPFW on machine with jail (FreeBSD 11.1)

Host have one big lagg0, and when jail starting create alias on this lagg0.

Code:
lagg0: flags=8843... metric 0 mtu 1500   options=401ba....
    ether ....
    inet 10.10.1.102 netmask 0xffffff00 broadcast 10.10.1.255 
    inet 10.10.1.139 netmask 0xffffffff broadcast 10.10.1.139 
    inet 10.10.1.141 netmask 0xffffffff broadcast 10.10.1.141 
    inet 10.10.1.25 netmask 0xffffffff broadcast 10.10.1.25 
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect
    status: active
    groups: lagg 
    laggproto lacp lagghash l2,l3,l4
    laggport: igb0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
    laggport: igb1 flags=0<>
    laggport: bce0 flags=0<>
jail_1 have 10.10.1.139 address
jail_2 have 10.10.1.139 address
...

I understand that I can't run IPFW in jail, it must be on host machine :(

But is any way to set rules per jail (network alias?)

example:

Jail_1 only incoming DNS, HTTP, HTTPS, ...
Jail_2 only incoming SMTP, IMAP, ...
...

Thanks for help
kzx
 

ShelLuser

Daemon

Thanks: 802
Messages: 2,010

#2
Well, each jail needs to have its own IP address which you can use in the firewall of the host to control incoming traffic.
 

kazix

Member

Thanks: 1
Messages: 26

#3
Ok, but how to write this rule in IPFW?

example:
Code:
pif="lagg0"
$cmd 00402 allow tcp from any to me 22 in via $pif
How should look this rule, if I want access ssh from any only to jail_1 (10.10.1.139)?