Hello,
I still have some questions about networking and jails. I could not find the answers in the documentation or forums. I hope my questions are not too dumb.
1. The networking inside jails seems to partly rely on the networking of the host. To get "more" networking features, it is necessary to use things like vnet, vimage... Am I right?
2. The documentation and several posts on the forum advise to bind the jails' IP addresses to lo1, what is also a loopback interface. Why does the jails' IP addresses have to be bound to a loopback interface? Does it matter at all? Is there no way to use another logical interface what wouldn't be a loopback one?
3. Several posts on the forums advise to give each jail an address in 127/8. These addresses are reserved for loopback. What is the purpose behind such a choice (instead of addresses in 192.168/16 or in 10/8)?
4. The documentation of ezjail says "To keep jail loopback traffic off the host's loopback network interface lo0, a second loopback interface is created by...". OK, but why is it necessary to keep the jail loopback traffic off the host's loopback network? (Security?)
5. With pf configured the right way on the host, the jails do reach internet (e.g.
So, no IP address is bound to em0, though the jail can "see" it. The jail's own IP address (10.1.1.64) is bound to lo1 (what is a loopback interface). Moreover, if I delete the defaultrouter setting from the jail's /etc/rc.conf, the jail can still reach internet.
So, how do the jails reach internet?
6. Someone mentionned it is possible to setup the host and jails in order to let the jails accessing internet without using NAT (thanks to pf). But I couldn't find how it is possible to do so. (I will use pf anyway, so this question is only caused by curiosity).
Thanks for any hints!
I still have some questions about networking and jails. I could not find the answers in the documentation or forums. I hope my questions are not too dumb.
1. The networking inside jails seems to partly rely on the networking of the host. To get "more" networking features, it is necessary to use things like vnet, vimage... Am I right?
2. The documentation and several posts on the forum advise to bind the jails' IP addresses to lo1, what is also a loopback interface. Why does the jails' IP addresses have to be bound to a loopback interface? Does it matter at all? Is there no way to use another logical interface what wouldn't be a loopback one?
3. Several posts on the forums advise to give each jail an address in 127/8. These addresses are reserved for loopback. What is the purpose behind such a choice (instead of addresses in 192.168/16 or in 10/8)?
4. The documentation of ezjail says "To keep jail loopback traffic off the host's loopback network interface lo0, a second loopback interface is created by...". OK, but why is it necessary to keep the jail loopback traffic off the host's loopback network? (Security?)
5. With pf configured the right way on the host, the jails do reach internet (e.g.
whois
works and nginx answers well to requests), but I do not understand how. From inside a jail, ifconfig
outputs:
Code:
root@web0:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
ether **:**:**:**:**:**
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 10.1.1.64 netmask 0xffffffff
root@web0:~ #
So, no IP address is bound to em0, though the jail can "see" it. The jail's own IP address (10.1.1.64) is bound to lo1 (what is a loopback interface). Moreover, if I delete the defaultrouter setting from the jail's /etc/rc.conf, the jail can still reach internet.
So, how do the jails reach internet?
6. Someone mentionned it is possible to setup the host and jails in order to let the jails accessing internet without using NAT (thanks to pf). But I couldn't find how it is possible to do so. (I will use pf anyway, so this question is only caused by curiosity).
Thanks for any hints!