IPFW, Jail and network alias

[kazix]

Hello,

I'm trying to configure IPFW on machine with jail (FreeBSD 11.1)

Host have one big lagg0, and when jail starting create alias on this lagg0.

lagg0: flags=8843... metric 0 mtu 1500   options=401ba....
    ether ....
    inet 10.10.1.102 netmask 0xffffff00 broadcast 10.10.1.255 
    inet 10.10.1.139 netmask 0xffffffff broadcast 10.10.1.139 
    inet 10.10.1.141 netmask 0xffffffff broadcast 10.10.1.141 
    inet 10.10.1.25 netmask 0xffffffff broadcast 10.10.1.25 
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect
    status: active
    groups: lagg 
    laggproto lacp lagghash l2,l3,l4
    laggport: igb0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
    laggport: igb1 flags=0<>
    laggport: bce0 flags=0<>

jail_1 have 10.10.1.139 address
jail_2 have 10.10.1.139 address
...

I understand that I can't run IPFW in jail, it must be on host machine

But is any way to set rules per jail (network alias?)

example:

Jail_1 only incoming DNS, HTTP, HTTPS, ...
Jail_2 only incoming SMTP, IMAP, ...
...

Thanks for help
kzx

 

[ShelLuser]

Well, each jail needs to have its own IP address which you can use in the firewall of the host to control incoming traffic.

 

[kazix]

Ok, but how to write this rule in IPFW?

example:

pif="lagg0"
$cmd 00402 allow tcp from any to me 22 in via $pif

How should look this rule, if I want access ssh from any only to jail_1 (10.10.1.139)?

 

[complexinput]

pif="lagg0"
$cmd 00402 allow tcp from any to me 22 in via $pif

Change "me" to the ip of the jail.