IPFW, Jail and network alias

kazix

Member

Reaction score: 2
Messages: 26

Hello,

I'm trying to configure IPFW on machine with jail (FreeBSD 11.1)

Host have one big lagg0, and when jail starting create alias on this lagg0.

Code:
lagg0: flags=8843... metric 0 mtu 1500   options=401ba....
    ether ....
    inet 10.10.1.102 netmask 0xffffff00 broadcast 10.10.1.255 
    inet 10.10.1.139 netmask 0xffffffff broadcast 10.10.1.139 
    inet 10.10.1.141 netmask 0xffffffff broadcast 10.10.1.141 
    inet 10.10.1.25 netmask 0xffffffff broadcast 10.10.1.25 
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect
    status: active
    groups: lagg 
    laggproto lacp lagghash l2,l3,l4
    laggport: igb0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
    laggport: igb1 flags=0<>
    laggport: bce0 flags=0<>
jail_1 have 10.10.1.139 address
jail_2 have 10.10.1.139 address
...

I understand that I can't run IPFW in jail, it must be on host machine :(

But is any way to set rules per jail (network alias?)

example:

Jail_1 only incoming DNS, HTTP, HTTPS, ...
Jail_2 only incoming SMTP, IMAP, ...
...

Thanks for help
kzx
 

ShelLuser

Son of Beastie

Reaction score: 1,693
Messages: 3,512

Well, each jail needs to have its own IP address which you can use in the firewall of the host to control incoming traffic.
 
OP
OP
kazix

kazix

Member

Reaction score: 2
Messages: 26

Ok, but how to write this rule in IPFW?

example:
Code:
pif="lagg0"
$cmd 00402 allow tcp from any to me 22 in via $pif
How should look this rule, if I want access ssh from any only to jail_1 (10.10.1.139)?
 

complexinput

New Member

Reaction score: 1
Messages: 7

Code:
pif="lagg0"
$cmd 00402 allow tcp from any to me 22 in via $pif
Change "me" to the ip of the jail.
 
Top