vnet - using a jail as a default firewall gateway to internet
    Julian Elischer 
    julian at freebsd.org
       
    Fri Apr 25 05:40:01 UTC 2014
    
    
  
On 4/25/14, 7:23 AM, Rob J wrote:
> Hi,
>
> I have been playing with vnet jails, and have a configuration working that
> I thought would not be (based on the docs out there), but it is.  I have a
> box with 3 NICS - hme0, em0 and em1.  Basically, with the assumption that
> the internet facing gateway is potentially a weak point, I set out to
> configure a jail on the above box to be the gateway, rather than the
> physical host itself. I recompiled the kernel, with the VIMAGE option, and
> setup a jail that uses em0 (192.168.x.y) as the lan side and hme0 (public
> IP a.b.c.d) is the ISP side.
Conceptually, the normal base system is just a single instance of a 
vnet jail,
so any situation that you can do with a separate machine as router should
be doable with a vnet jail in that role.
the error messages you see are because some sysctls can not be done 
from within a jail.
there may be a setting to allow them to happen in a jail... I have not 
checked.
you may attach your  regular 'base' system to teh jail using a 
physical ethernet,
or it may have  a shortcut with it's own epair or netgraph link to the 
router instance.
this is exactly the sort of situation we wanted to write vnets for..
> On the jail itself, its default route to the internet is public IP a.b.c.e
> (same network of interface hme0 above). Then I set the rest of my lan to
> point to 192.168.x.y (interface em0 above) as the default gateway. I have
> access to the internet with that configuration, routing through the jail
> (or at least I think so) - everything seems to work. The two errors I get
> upon starting the jail, are: "sysctl: net.inet.ip.sourceroute not
> permitted" and "sysctl: net.inet.ip.accept_sourceroute not permitted.  Any
> body knows what may be broken with my configuration? All the docs I read
> about having a jail route traffic seemed to imply it is undoable.
>
> Did I create a glaring whole in my network by having this design as my
> firewall and router?  I also noticed that the physical host is doing all
> the logging for dmesg and security, when I thought the jail would, but it
> is beginning to make sense that the kernel is only running on the physical
> host, and therefore does the logging of all kernel related activities.
>
> Any comments or suggestions welcome.
>
> Thanks,
>
> Robert
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
    
    
More information about the freebsd-net
mailing list