different default gateway for jails planed/possible?
Julian Elischer
julian at elischer.org
Tue May 31 10:40:38 PDT 2005
Jeremie Le Hen wrote:
>Hi Emanuel,
>
>
>
>>will it be possible to define a different default gateway for a jail?
>>Imagine a system with two interfaces, one for the host on a local GbE
>>Switch (with NFS service) and the other one connected to a different
>>DMZ-Switch which should serve different jails.
>>Now the DMZ is useless since anybody who broke into one jail can reach all
>>hosts on the "host" interface without having the possibillity to restrict
>>traffic on the router since the packets go straight to the GbE interface.
>>This is a big security disadvantage and if I block these packets I can't
>>any longer connect from machines inside the GbE network to the jails in
>>the DMZ. The request will be routed but answers go down the "host"
>>interface, instead to the DMZ router interface. Even a different default
>>gateway wouldn't help in this case, the kernel had to "keep in mind" that
>>packets from a jail mustn't be forwarded through any jail-foreign
>>interface. Also the usual routing table had to be overwritten since
>>packets from a jail should go over the router to the GbE network (although
>>there is a well known route, the interface which has the GbE net
>>configured).
>>But at least packets from a jail should be limited that they can't pass any
>>other interface(s) than the one(s) which belong to the particular jail.
>>I think PFs route-to next-hop rule would be a workarround for my problem
>>but I'm not too happy to have PF on a GbE Fileserver.
>>
>>
>
>I think you can use ipfw(8) as a workaround, since it knows about
>jail IDs and can forward packets any IP address. Netgraph is maybe
>an alternative, but I'm not sure about it.
>
>
you are correct..
your best bet is to use the 'fwd' command of ipfw to send packets from
the JAIL IP
to a different gateway.
>IMHO, hacking the IP stack in order to make it jail aware would lead
>to a real mess. The right way to do this would be to have IP stack
>virtualization, as it exists for RELENG_4 [1]. Unfortunately, this
>is available neither for RELENG_5 nor CURRENT, and my coding skills
>are clearly not good enough to do this.
>
>
>
>>Another jail question: Is it possible to limit resources on jail-basis?
>>Like resource restrictions for useres in login.conf only for whole jails.
>>
>>
>
>AFAIK, no, this is not possible, this would need virtualization as well.
>
>[1] http://www.tel.fer.hr/zec/vimage/
>Regards,
>
>
More information about the freebsd-current
mailing list