It's quite easy to do a multi Jail setup and let them communicate with each other, connecting to a DB as example running in another Jail.
First we create interfaces for the Jails in /etc/rc.conf
So we would have 127.0.10.1, 2, 3 and 4 and 3 more Interfaces, one or since FreeBSD 7.2 multiple IP's for each Jail.
Then we enable IP forwarding that the internal routing over the interfaces works:
And finally using PF we first define which interfaces and IP's are used:
to then add the rules:
This would allow the Mail and the DB Jail to connect to each other on port 3306
When using a Webmail system as example that wants to access the IMAP Server and send Mails as well:
And so on. If something won't work as expected running a tcpdump on pflog (if pflog is active) helps to debug and finding out what's wrong.
And for the PF experts - I know these rules can be optimized - it's just an example.
First we create interfaces for the Jails in /etc/rc.conf
Code:
cloned_interfaces="lo1 lo2 lo3 lo4"
ifconfig_lo1="inet 127.0.10.1 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 127.0.10.2 netmask 255.255.255.0"
ifconfig_lo1_alias1="inet 127.0.10.3 netmask 255.255.255.0"
ifconfig_lo1_alias2="inet 127.0.10.4 netmask 255.255.255.0"
ifconfig_lo2="inet 127.0.20.1 netmask 255.255.255.0"
ifconfig_lo3="inet 127.0.30.1 netmask 255.255.255.0"
ifconfig_lo4="inet 127.0.30.1 netmask 255.255.255.0"So we would have 127.0.10.1, 2, 3 and 4 and 3 more Interfaces, one or since FreeBSD 7.2 multiple IP's for each Jail.
Then we enable IP forwarding that the internal routing over the interfaces works:
Code:
gateway_enable="YES"And finally using PF we first define which interfaces and IP's are used:
Code:
interface_db="lo1"
interface_imap="lo2"
interface_mail="lo3"
interface_www="lo3"
db_ip="127.0.10.1"
imap_ip="127.0.20.1"
mail_ip="127.0.30.1"
www_ip="127.0.40.1"to then add the rules:
Code:
pass in quick on { $interface_db $interface_mail } proto tcp from { $db_ip $mail_ip } to { $db_ip $mail_ip } port 3306
pass out quick on { $interface_db $interface_mail } proto tcp from { $db_ip $mail_ip } to { $db_ip $mail_ip } port 3306This would allow the Mail and the DB Jail to connect to each other on port 3306
When using a Webmail system as example that wants to access the IMAP Server and send Mails as well:
Code:
pass in quick on { $interface_imap $interface_www } proto tcp from { $imap_ip $www_ip } to { $imap_ip $www_ip } port 143
pass in quick on { $interface_mail $interface_www } proto tcp from { $mail_ip $www_ip } to { $mail_ip $www_ip } port 25
pass out quick on { $interface_imap $interface_www } proto tcp from { $db_ip $mail_ip } to { $db_ip $mail_ip } port 143
pass in quick on { $interface_mail $interface_www } proto tcp from { $mail_ip $www_ip } to { $mail_ip $www_ip } port 25And so on. If something won't work as expected running a tcpdump on pflog (if pflog is active) helps to debug and finding out what's wrong.
And for the PF experts - I know these rules can be optimized - it's just an example.
