putting jails on public addresses

Michael Ross gmx at ross.cx
Thu Aug 21 03:48:13 UTC 2014

On Thu, 21 Aug 2014 05:02:07 +0200, Littlefield, Tyler  
<tyler at tysdomain.com> wrote:

> On 8/20/2014 10:50 PM, James Gritton wrote:
>> On 8/20/2014 5:20 PM, Littlefield, Tyler wrote:
>>> Hello:
>>> I'd really like to put a couple of jails on publically accessible IP  
>>> addresses. I have 5 that my provider has assigned to me. Could anyone  
>>> possibly shed
>>> some light on how to do this? I know of epairs, but I'm not sure  
>>> exactly how this works: does each interface (a and b) get an address?  
>>> I presume one would
>>> be and the other would be x.x.x.x (where x.x.x.x is the  
>>> public address)? Which one should i set the gateway on?
>>> Thanks a lot for the help,
>> You shouldn't need to mess with epair for most jails.  Just specify the  
>> jails' addresses (ip4.addr=x.x.x.x) in your jail.conf, and be sure to  
>> have an "interface=foo0" global line.  The simplest jail setup is one  
>> using publicly available addresses on a single interface, which sounds  
>> like what you have.
> Hello:
> Thanks a lot for the info. I guess I should have been a bit more  
> explicit: I want to be able to assign firewall rules to these separate  
> jails. I don't think I can assign rules based on address but have to  
> have some sort of interface. For example, port 80 will be open on two  
> jails, but one should have rate limiting applied to it.
> Thanks,
>> - Jamie

With ipfw, you could do something like:

allow ip from any to <x.x.x.100> 80
allow ip from any to <x.x.x.101> 80 limit src-addr 4
reset ip from any to me 80  # catch-all


More information about the freebsd-questions mailing list