Jail with public IP alias

Alejandro Imass aimass at yabarana.com
Thu Aug 29 00:58:37 UTC 2013

On Wed, Aug 28, 2013 at 2:42 PM, Patrick <gibblertron at gmail.com> wrote:
> On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass <aimass at yabarana.com> wrote:
>> On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt <frank2 at fjl.co.uk> wrote:
>>> On28/08/2013 00:19, Patrick wrote:


> I don't think that's true though in the case of jails. On the host
> system, yes, but when a jail is bound to a particular IP, outbound
> connections originate from that bound IP. At least they do for me in
> all of my experience. Still wondering if you're using NAT with your
> jails, as that could change things.

Nope, no NAT. I verified what you said using the aliases in lo0 and it
does in fact use the correct private IP, and that is well, no surprise
because we rarely have jails actually public IPs so I didn't notice
this strange behaviour before. Actually, not so strange once you
understand what's going on:

It doesn't work the same using the public IP because, the public IP
goes through a gateway so it's a different case. In that case it will
use the "primary" IP assigned to the device in that subnet that goes
through that routing rule. You can test this if you want but you will
need to re-create a scenario where you have multiples IPs assigned to
a physical network card and that routes through a common gateway. In
this case, it will use only the primary IP assigned to network card.
If you actually test it you will see it's not a jail issue, it simply
works that way,and it will be consistent on a jail or the base system.

The only ways to fix this are either through the routing table or
source address re-writing with IPFW or similar.

> (FWIW, we use ezjail as well. It doesn't do anything special except
> make having lots of jails easy and lightweight.)

It does a lot more than that! We use flavours and have pre-loaded
environments for easy deployment, much like people use VMWare. For
example we do a lot of development in Catalyst and it takes forever to
install a working Catalyst env which we only have to do once and then
create Cat flavoured jails in minutes. We also, archive and
re-instatiate jails in other servers or add more capacity in an
existing env just by archiving and creating a clone jail on another
server. So basically with EzJail we have our own cloud-type
environment but running on the real hardware and with much more
granular control. We also use Amazon AWS but not for anything that's
core ot the company. We do a ton of other stuff that relies on EzJails
tools, for example update one jail to test and the simply re-create
that one to replace all the others. Plain old jails will do the same
thing for sure, but if you manage hundreds you'll probably wind up
re-inventing EzJail in the first place.


Alejandro Imass

More information about the freebsd-questions mailing list