Jails and Hostonly network and pf question

J

jollyjinx

I've created a few jails that only have private network addresses on lo1 (I keep lo1 to jails only).

To me it seems that the 'normal' Unix loopback IPv4 interface 127.0.0.1 is available only on the host running the jails, but not inside the jails. Some programs fail to work the normal way when you enable them to listen on 127.1. Yes, I can always use the jail private network interface (10.0.0.x in my case), but that way the jail needs to know its loopback address which I find not a good abstraction. Shouldn't a jail as self-contained virtual host have its own loopback interface with a 127.1 and ::1 address?

Usually those jails should not be able to communicate to each other so I enabled pf rules to prevent traffic from and to their private network. But now I had the problem to create a rule for each jail so it could reach itself, I only have a few jails, but it does not look right to do it this way. Would be much easier with a loopback interface 127.1, ::1 for each jail.

Am I missing something? I'm new to FreeBSD, so sorry if I missed something.

So the rules look like:

Code: 
....
block all

pass quick on lo0

#rules to keep each jail be accessible for itself
pass quick on lo1 from 10.0.0.1 to 10.0.0.1
pass quick on lo1 from 10.0.0.2 to 10.0.0.2
pass quick on lo1 from 10.0.0.3 to 10.0.0.3
pass quick on lo1 from 10.0.0.4 to 10.0.0.4
pass quick on lo1 from 10.0.0.5 to 10.0.0.5
pass quick on lo1 from 10.0.0.6 to 10.0.0.6
...

# rules so one jail can access another on specific ports

pass quick on lo1 proto tcp from 10.0.0.5 to 10.0.0.2 port 80 keep state
pass quick on lo1 proto tcp from 10.0.0.5 to 10.0.0.6 port 80 keep state


Best, Patrick aka Jolly
 
If the jails are going to be on their own private LAN on lo1 and never be accessible to the outside, why bother putting that adapter in the rules? You would just want your normal firewall setup for your outside and your inside, everything else will be blocked, including lo1. Keep them and the adapter in the same subnet and they will communicate.

Also, you'll need to break your lo1 adapter down into aliases for your each of your jails. See this link below to do that...
http://www.cyberciti.biz/tips/freebsd-how-to-setup-2-ip-address-on-one-nic.html
 
Well, the idea is, not to have traffic in the pseudo-local network the jails run in, to prevent one jail to get hacked and then it opens up the other jails. The problem I have with the loopback interface 127.1 not existing is, that it's not possible to create a network service that can be seen from inside the jail only. E.g. I have a jail that runs nginx and that nginx uses a fastcgi proxy running usually on 127.1. Usually that is not a problem, but within a jail it is.

From my point of view a jail should be able to run on the network addresses the surrounding host sets up for the jail. That way I can move a jail from one environment (development) to another ( test, production ) and with ZFS and snasphots that would be really great.

I used that mechanism on other OS'es before to move from development to production (Debian and MAc OSX with VMWare Server). Now that I've "upgraded" ;-) to freebsd FreeBSD as I found out that it has jails on top of ZFS I would like to be able to move a fully tested virtual server (jail now) from one environment to the other as well.
 
jollyjinx said:
E.g. I have a jail that runs nginx and that nginx uses a fastcgi proxy running usually on 127.1. Usually that is not a problem, but within a jail it is.
Click to expand...
Use a file socket for PHP-FPM instead of a network socket. I.e.
Code: 
fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
 
Actually I was using fcgiwrap and spawn-fcgi with unix sockets first, but they restart the fastcgi programs and for the one jail where I use smokeping and other scripts that just is very slow (very long first startup). So I thought of using real fcgi server that runs on a local network port.
 
You must log in or register to reply here.
Back
Top