vnet jail for local only or public access

Alexander Leidinger Alexander at leidinger.net
Mon Jul 20 08:36:51 UTC 2020 

Quoting Ernie Luzar <luzar722 at gmail.com> (from Fri, 17 Jul 2020  
16:31:53 -0400):

> Alexander Leidinger wrote:
>> Quoting Ernie Luzar <luzar722 at gmail.com> (from Fri, 17 Jul 2020  
>> 08:46:07 -0400):
>>
>>> Trying to figure out how to configure a vnet jail so it is  
>>> restricted to only being able to talk to other vnet jails on the  
>>> same host IE: local only vnet jails. As different to being able to  
>>> access the public internet type of vnet jails.
>>>
>>> Using the bridge/epair method of connecting vnet jails to the host.
>>> [ based on this how-to ]
>>> https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071/ It's my understanding that this behavior is controlled by if the hosts interface connected to the public internet is added as a member to the bridge the vnet jails epairXa interfaces were members  
>>> of.
>>
>> Partly correct. You can also have a setup where your host is  
>> routing between what you call the public internet and the local  
>> only vnets.
>>
>>> I tested this on a remote vm and found that it made no difference  
>>> one way or the other if the hosts interface connected to the  
>>> public internet was added as a member to the bridge or not. In  
>>> both cases the vnet jail had public internet access.
>>
>> It shouldn't, if there is no routing involved.
>>
>> Please show us "ifconfig -a" and "netstat -rn" of the host.
>>
>> Bye,
>> Alexander.
>>
>
> root >netstat -rn4
> Routing tables
>
> Internet:
> Destination        Gateway            Flags     Netif Expire
> default            65.25.48.1         UGS         re0
> 10.0.0.0/8         link#1             U           em0
> 10.0.10.2          link#1             UHS         lo0
> 10.0.20.0/24       link#5             U      bridge10

You have a routing table entry for the bridge on the host.

> 10.0.20.2          link#5             UHS         lo0
> xxx.25.48.0/20     link#2             U           re0
> xxx.25.51.0        link#2             UHS         lo0
> 127.0.0.1          link#3             UH          lo0
> /root >
> /root >ifconfig -a

> bridge10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric  
> 0 mtu 1500
> 	description: qjail-vnet-jail-only-bridge
> 	ether 02:3e:ba:a7:58:0a
> 	inet 10.0.20.2 netmask 0xffffff00 broadcast 255.255.255.0
> 	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> 	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
> 	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> 	member: epair4a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> 	        ifmaxaddr 0 port 6 priority 128 path cost 2000
> 	groups: bridge
> 	nd6 options=1<PERFORMNUD>

Your bridge has an IP address.

Both together: I suspect your host is routing between your jail and  
the outside.

If you remove the IP address from the bridge, you should have a  
jails-on-the-bridge-only setup.

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20200720/92a59f98/attachment.sig>

More information about the freebsd-jail mailing list