jail.conf and localhost alias

[kazix]

Hello, I'm testing jail.

First I'm used ezjail to create/manage jails - it's a nice tool
But I need one BIG function - no autostart jails, but starting via script.

So I decided to disable ezjail and run "normal jail" command, move config from ezjail to /etc/jail.conf (but still can manage jails via ezjail-admin)

My question is about loopback in jail. On site https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html is recommendation to create alias for localhost (lo1)
ifconfig lo1 create
and in jail config set special localhost (example 127.0.0.2).
In jail config file in ezjail is something like that:

#/usr/local/etc/ezjail/jt3
...
export jail_jt3_ip="lo1|127.0.0.2,lagg0/10.10.1.145"
...

but in "clear jail" don't have this option, I can only set one interface

jt3 {
ip4.addr           = "10.10.1.145";  # IP4 address
#ip6.addr           = "fe00::1";        # IP6 address (optional)
interface          = "lagg0";           # Network interface

Is there any option to set (example ): lo1|127.0.0.2 and lagg0|10.10.1.145 in jail.conf?

 

[SirDice]

Use one or the other. So either bind the jail to your interface or to lo1, not both. Binding a jail to lo1 is only useful if you only have 1 external IP address. So for your situation just use lagg0 and the 10.x.x.x address.

 

[kazix]

Thanks SirDice,

but why on this site, (config jail with ezjail) they recomend to use different localhost alias and different address for network?
is there any security/performance reason?

Thanks,
kazix

 

[SirDice]

It doesn't mention it's "recommended". It's just an example configuration that will work for most people.

is there any security/performance reason?

No, not really. As I said, you'd use the lo1 "trick" if you can only have one IP address on the physical interface. But in your case this is not an issue as you can bind as many addresses as you like to the interface. So there's no need to use lo1.

 

[kazix]

I did so and it works, no lo1 alias - thanks again.

kazix

 

[getopt]

SirDice
Hmm, I remember having read more than once it's better separating jail's loopback from that of the host.
Are you sure that this really of no use (regarding host/jail security)?

 

[SirDice]

Are you sure that this really of no use (regarding host/jail security)?

It doesn't add or remove anything security-wise. So it doesn't matter if you bind it to lo1 or to the physical interface. The only difference would be regarding network availability, if you bind a jail to the physical interface any service would be instantly accessible from the network. If you bind the jail to lo1 you'd have to redirect ports. But typically you're going to run network services in a jail so those ports will be opened up anyway.