VNET

[Anders Hagman]

Hi

20 jun 2012 kl. 19:51 skrev Sami Halabi:

> Thank you.
> 
> I want to use vnet jail for a specific subnet that I need to seperate from
> the system.

If you want total separation from the main system you need vnet jail to be able
to have a separate routing table and default gateway.

> so basicly i create a vlan + a bridged interface to the public.

You don't need to create a bridge, just create a vlan interface and move it to the jail.

> these two (vlan+bridged interface- epair0a) will in in the vnet jail, so I
> can do NAT only for that vlan going out.
> This is the idea, as there are more interfaces in the system and there is
> only one interface out…

I do this to be able to use the same hardware for inside server and DMZ server.
Have been working for two month without any problem.

> 
> so basicly it should be a firewall & Nat only between the specific lan and
> the outside world.
> 
> Can this be accomplished otherway?
> 
> Sami
> 
> On Wed, Jun 20, 2012 at 5:43 PM, Alexander V. Chernikov <
> melifaro at freebsd.org> wrote:
> 
>> On 19.06.2012 12:56, Sami Halabi wrote:
>> 
>>> Hi,
>>> 
>>> I want to ask aout VNET jails, i read somehwre that I'm able to run IPFW,
>>> but not PF firewall in a cnet jail.
>>> is that correct?
>>> 
>>> i want a vnet jail basicly for nat, so natd with ipfw + ipdivert is my
>>> 
>> 1) You can do nat without vnet.
>> 2) ipfw nat is currently the easiest way to do nat.
>> 
>> 
>> choice? or i can use pf somehow, I never used pf before,
>>> so i would like some advise here...
>>> 
>>> Thanks in advance,
>>> 
>>> 
>> 
>> --
>> WBR, Alexander
>> 
> 
> 
> 
> -- 
> Sami Halabi
> Information Systems Engineer
> NMS Projects Expert
> FreeBSD SysAdmin Expert
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"