another jail question

Matthew Seaman m.seaman at
Sat Mar 24 18:38:34 UTC 2007

Jonathan Horne wrote:
> is there a way to configure a jail to use more than one ip address?
> in the same sense of configuring an alias ip for any other freebsd
> host?

jail(8) only allows you one IP -- there are some patches around
which will let you create jails with more IPs, and even better
there's a clonable network stack under development -- meaning
each jail can have it's own firewall instance etc. etc. 

However none of that is really ready for prime time usage just
yet.  In fact, that's all rather experimental at the moment and
suitable only for gurus to play with.

There is an alternative.

You can achieve something like what you want with a bit of
firewall trickery.  Add an alias IP to the loopback interface --

:# ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
        inet6 ::1 prefixlen 128 
        inet netmask 0xff000000 
        inet netmask 0xffffffff 

Now create a jail using that IP.  Something like this in
/etc/rc.conf is what you'll need, plus following the instructions
in jail(8) to create the filesystems in the jail:


Fire up whatever services you want inside your jail -- within it,
you'll have to configure everything to bind to the jail IP specifically, but that's just the way things are in jails
even without this redirection trick.

Now, configure the IPs on interfaces you want the outside world to
see as belonging to your jail -- for illustrative purposes I'll
choose and as example addresses to use for
the jail. Then use firewall NAT functionality to redirect traffic
into the jail.  If you use pf (definitely recommended) then a
snippet like the following should be useful in /etc/pf.conf:


# Outward connections from within the jail
nat on $ext_if proto { tcp udp }           \
     from $jail_int                        \
     to !$jail_int -> $jail_ext0 static-port

# Incoming connections to the jail
rdr on $ext_if proto tcp                   \
     from any                              \
     to { $jail_ext0 $jail_ext1 } port { 25 80 } -> $jail_int

If you want to run multiple HTTPS v-hosts from within the jail
you'll have to configure them to all run on distinct port numbers
within apache, and use something like this to generate the mapping:

rdr on $ext_if proto tcp                   \
     from any                              \
     to $jail_ext0 port 443 -> $jail_int port 8443
rdr on $ext_if proto tcp                   \
     from any                              \
     to $jail_ext1 port 443 -> $jail_int port 9443

This approach works pretty well for many protocols, but it does have
the basic limitation that you can tell a priori from within the jail
which external address the traffic went to.  Either you've got to
determine the answer by looking at the traffic payload (eg. HTTP has
a header saying which v-host the request is for) or apply the sort of
port remapping shown above.



Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP:         Ramsgate
                                                      Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list