source addresses for IP traffic between jails
Andrew McNaughton
andrew at scoop.co.nz
Wed Aug 27 01:56:18 PDT 2003
I'm setting up a server environment where I've got a bunch of jails
running using aliased IPs on the same interface. I'd like to be able to
use ipfw to place limits on the traffic between jails, but I'm running
into problems.
When I use tcpdump to look at TCP traffic from one jail to another, it
shows both the source and destination IP for the packets as being the IP
assigned to the jail which the connection is made to.
When I look at UDP traffic (again using tcpdump) I see both the source
and detination IP being that of the jail IP the particular packet is
destined for.
Given the situation above, is it possible for ipfw to distinguish
which jails are involved in a packet exchange?
I've wondered about giving each jail its own pseudo-interface. Are there
any problems with creating many pseudo-interfaces like this? What sort of
interface should I use?
You apparently can't create multiple loopback interfaces which would be
the obvious choice (ie `ifconfig lo1 create` does not work). The
interface types I know about that allow creation of pseudo-interfaces are
tunnel type interfaces which don't really suit this purpose. Is there
something suitable?
Given that packets are coming from a jail, is the packet construction I'm
seeing correct, or should this be considered a bug?
Andrew McNaughton
--
No added Sugar. Not tested on animals. May contain traces of Nuts. If
irritation occurs, discontinue use.
-------------------------------------------------------------------
Andrew McNaughton In Sydney
Working on a Product Recommender System
andrew at scoop.co.nz
Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc
More information about the freebsd-security
mailing list