pf and jails
jim at ohlste.in
Thu Feb 6 15:28:29 UTC 2014
On 2/6/14, 9:34 AM, Tyler Saylor wrote:
> I'm running FreeBSD 10-RELEASE on i386. I have setup a few jails for
> services such as httpd and postfix using ezjail. The host has one physical
> ethernet interface and I have five routeable IPv4 addresses; of the five,
> four are assigned to a jail and one is assigned to the host. I have a jail
> for mysql that is setup to use a clone of lo and the address "10.1.1.1".
> I'm also using pf to filter traffic to each service on the host.
> My question is this: How do I make it so that the other jails that are
> bound to routable addresses able to interact with the jail on 10.1.1.1? Is
> there some magic pf voodo I'm not understanding, or some mental deficiency
> I'm just now being made aware of? I've included my pf.conf and included an
> THanks for any help,
> //Tyler Saylor
> For illistration:
> Each pipe represents a real, routable ipv4 address assigned to the
> respective jail. The star represents the private address of the jail I'd
> like to be accesible from the others.
> em0--|--|--|--|--| lo1--*
> h w i m s m
> o w r a v y
> s w c i n s
> t l q
Assuming all of your jails are on the same loopback clone, and assuming
you have not set "skip-networking" in you rmy.cnf, they should be able
to talk to one another using the IP of the jail in question.
Have you tried telnet?
# telnet 10.1.1.1 3306
That should give a result like:
Connected to 10.1.1.1.
Escape character is '^]'.
In your app, you'll probably need to set the "database host" or similar
to the jail IP (10.1.1.1 in this case) rather than to "localhost".
"Never argue with a fool, onlookers may not be able to tell the
difference." - Mark Twain
More information about the freebsd-questions