Jonathan Horne wrote: > is there a way to configure a jail to use more than one ip address? > in the same sense of configuring an alias ip for any other freebsd > host?
jail(8) only allows you one IP -- there are some patches around which will let you create jails with more IPs, and even better there's a clonable network stack under development -- meaning each jail can have it's own firewall instance etc. etc. However none of that is really ready for prime time usage just yet. In fact, that's all rather experimental at the moment and suitable only for gurus to play with. There is an alternative. You can achieve something like what you want with a bit of firewall trickery. Add an alias IP to the loopback interface -- say 127.0.0.2 :# ifconfig lo0 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 inet 127.0.0.2 netmask 0xffffffff Now create a jail using that IP. Something like this in /etc/rc.conf is what you'll need, plus following the instructions in jail(8) to create the filesystems in the jail: jail_enable="YES" jail_list="j1" jail_j1_hostname="j1.example.com" jail_j1_interface="lo0" jail_j1_mount_enable="YES" jail_j1_fstab="/etc/fstab.jail.j1" jail_j1_ip="127.0.0.2" jail_j1_rootdir="/jail/j1.example.com" Fire up whatever services you want inside your jail -- within it, you'll have to configure everything to bind to the jail IP 127.0.0.2 specifically, but that's just the way things are in jails even without this redirection trick. Now, configure the IPs on interfaces you want the outside world to see as belonging to your jail -- for illustrative purposes I'll choose 12.34.56.78 and 12.34.56.79 as example addresses to use for the jail. Then use firewall NAT functionality to redirect traffic into the jail. If you use pf (definitely recommended) then a snippet like the following should be useful in /etc/pf.conf: jail_int="127.0.0.2" jail_ext0="12.34.56.78" jail_ext1="12.34.56.79" # Outward connections from within the jail nat on $ext_if proto { tcp udp } \ from $jail_int \ to !$jail_int -> $jail_ext0 static-port # Incoming connections to the jail rdr on $ext_if proto tcp \ from any \ to { $jail_ext0 $jail_ext1 } port { 25 80 } -> $jail_int If you want to run multiple HTTPS v-hosts from within the jail you'll have to configure them to all run on distinct port numbers within apache, and use something like this to generate the mapping: rdr on $ext_if proto tcp \ from any \ to $jail_ext0 port 443 -> $jail_int port 8443 rdr on $ext_if proto tcp \ from any \ to $jail_ext1 port 443 -> $jail_int port 9443 This approach works pretty well for many protocols, but it does have the basic limitation that you can tell a priori from within the jail which external address the traffic went to. Either you've got to determine the answer by looking at the traffic payload (eg. HTTP has a header saying which v-host the request is for) or apply the sort of port remapping shown above. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature