Jail routing

fluca1978

fluca1978

Hi all,
I found this problem while trying to install an in-jail software from the ports, but I think it is not related to the ports. I've got a FreeBSD machine with two nics: em0 is used to go outside on the Internet, em1 is used internally. Then I've got one jail that is attached to an alias of em1, since it has to provide services only within the LAN. The problem is that from the jail I cannot get outside to download software, of course, and this should be fine once the jail is ready to run (in production mode), but now how can I overtake the problem and allow the jail to go outside using em0? Should I attach also an alias to em0 and give it to the jail? Because em0 is coming from dhcp, so I don't know how to assign a valid alias....
 
Temporarily attach it to the interface that does have internet access. Or use any of the firewalls to NAT the traffic.
 
If the jail IP address is not directly accessible from outside (such as a RFC1918 IP address), you need to perform NAT on em0 for it if you want internet access for the jail. The IP address movement alone will not be enough.
 
There is a new system utility called qjail that automates all the problems of creating and administration of jails using the manual jail commands. You should really check it out.
 
I have now added the fact that you are actually the port maintainer for qjail to your signature. I think it's only fair to have that information out in the open when you constantly advertise qjail in jail-related topics.
 
fbsd1 said:
There is a new system utility called qjail that automates all the problems of creating and administration of jails using the manual jail commands. You should really check it out.
Click to expand...

Neither sysutils/qjail nor sysutils/ezjail can solve this problem. A non routable IP address can not access the Internet without some sort of NAT taking place.

If you believe that you have created a good software for jail management, then please post a presentation in the how-to section. I will be one of the first to try it. But don't just reply to any jail related thread without providing a solution to the problem. It is really bad advertising.

Regards,
George
 
You must log in or register to reply here.
Back
Top