jails and loopback

deadbeef

New Member


Messages: 12

Im new to freebsd and jails, please be patient.
according to the freebsd documentation, one should create a cloned loopback for a jail instance.

I can't get behind the purpose of creating multiple loopback interfaces. can someone explain me this?
Should I create a new lo interface for each jail? sounds ridiculous.
Also, is there a security issue if run multiple jails on the same lo interface?

If there's someone who could explain the purpose behind that, that would be great.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,300
Messages: 38,822

It depends on your situation if you need a lo1 at all. If you can put multiple addresses on your 'external' host interface you can easily bind your jails directly to that interface and there's no need for a lo1. Adding a loopback interface and binding your jails to that is useful if you cannot bind directly to the 'external' host interface, if you only have access to a single 'external' IP address for example. Think of the lo1 construct as a 'virtual' private network, your jails are connected to this virtual network and your host acts as a router.
 
OP
D

deadbeef

New Member


Messages: 12

It depends on your situation if you need a lo1 at all. If you can put multiple addresses on your 'external' host interface you can easily bind your jails directly to that interface and there's no need for a lo1. Adding a loopback interface and binding your jails to that is useful if you cannot bind directly to the 'external' host interface, if you only have access to a single 'external' IP address for example. Think of the lo1 construct as a 'virtual' private network, your jails are connected to this virtual network and your host acts as a router.
Thank you. that helped so far, but raises a few more questions:
if I assign the jails to the loopback interface, do I have to do the routing myself or can I access the offered services right through the hosts address?
how can the jails communicate with the outside world?
lets assume a host with 2 network interface, both with different addresses, how can the jails
determine from which of these interfaces the incoming traffic came (lets say for an dhcp server)?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,300
Messages: 38,822

if I assign the jails to the loopback interface, do I have to do the routing myself or can I access the offered services right through the hosts address?
It's going to be a so-called "directly connected" network, which means the route is implicitly added on the host itself. You may need additional static routes on other hosts on your network though, they need to know where to find your private network. This is no different from having "real" subnets with "real" hosts. In this respect you should treat a jail the same way as you would any other regular host on your network.

lets assume a host with 2 network interface, both with different addresses, how can the jails
determine from which of these interfaces the incoming traffic came (lets say for an dhcp server)?
No host, jail or otherwise would be able to tell the difference actually. A DHCP service is bound to each interface individually and can therefor tell where it came from.
 
OP
D

deadbeef

New Member


Messages: 12

This is no different from having "real" subnets with "real" hosts. In this respect you should treat a jail the same way as you would any other regular host on your network.
This

http://kbeezie.com/freebsd-jail-single-ip/ may be useful. It shows how you can have several jails on lo1 and what to put in pf.conf to route them. (Note that it's only one method but it's the one that I've found easiest)
Very good explanation.

Thanks to both of you. I have tried what was explained and it works as expected.
2 Days into freebsd and already a fan👍
 
Top