jails, subnets and etc?
Jeff Tipton
jeff.t at mail.com
Sun Mar 23 08:16:15 UTC 2014
Hello,
On 03/23/2014 06:11, Littlefield, Tyler wrote:
> hello all:
> I'm curious if I'm doing this right, and would like some advice from
> someone.
> First, I created a jail with ezjails and set it's IP to 192.168.0.2,
> then bound mysql to that address.
> The idea is that mysql can run in its own jail while not being
> accessible to the outside world. I set the gateway (defaultrouter in
> the jail's rc.conf) to the IP address of my machine so the system can
> access the network.
Basically, you don't have to do that; you may do without the
"defaultrouter" line there at all.
> This is where I run into a bit of fun: I am unable to ping/telnet to
> 192.168.0.2 3306, and I am unable to telnet out of the jail. So, I
> have a few questions:
By default, ping doesn't work with jails. If you want to enable it, you
have to set the security.jail.allow_raw_sockets sysctl value to 1. But
telnet should work without this setting.
> 1) what needs to happen on the pf side to forward ports from x.x.x.x
> (my external-facing interface), to a specific address and port on the
> subnet? the idea is that I will just use pf to forward ports to
> public-facing jailed services.
Example destination NAT in pf.conf
rdr on bge0 proto tcp from any to any port 3306 -> 192.168.0.2
(where bge0 is the device name of your external interface; replace it
with your own)
> 2) Do I need to do something special to get this subnet set up? What
> needs to happen to get the jail and the host talking to each other?
> thanks in advance,
>
Jail and host should talk to each other without special settings. Maybe
you have some restrictions in pf? Try to flush all rules (pfctl -Fa).
How did you set up the network interface in your host machine -- is it
accessible to your jails?
-Jeff
More information about the freebsd-questions
mailing list