jails & network/firewall setup

Robroy Gregg robroy at robroygregg.com
Thu Jan 5 19:02:58 UTC 2017

Good day Ernie,

On Thu, 5 Jan 2017, Ernie Luzar wrote:

> Finally got myself a static IP address added to the dynamic IP address 
> already assigned by my ISP. Both have their own unique domain names pointing 
> to them and going to the same MAC address modem. Yes I run ddclient to insure 
> the dynamic IP address and it's domain name are keep in sync. When I do a 
> ifconfig command I see the NIC facing the public internet has those 2 IP 
> address listed.
> If I assign the static IP address to a jail, will all traffic travailing on 
> that IP address be seen only by that jail without any firewall NAT forwarding 
> rules being used?

Yes, packets destined for the jail your static IP's assigned to should 
reach jailed processes without requiring NAT.

You probably already know about this point, yet regarding whether traffic 
will be seen only by the jail or not--though you won't need NAT, it'll 
still be necessary for you to configure daemons on your host system to 
associate only with your dynamic IP; otherwise, they may also associate 
with your static IP, which will make a confusing and/or insecure mixture 
of jailed and base processes available on the static IP.

For instance, both OpenSSH and the NFS server associate themselves with 
all IPs on the computer, by default (and this would include your jail's 
static IP, despite these processes running in the host system, and not in 
the jail).

And I don't know of any slick way to configure daemons in general to 
associate with a specific, yet dynamically assigned IP (but maybe you do).

> IE: assuming there are no firewall rules blocking traffic on that IP 
> address.
> Lets state it a different way. Does all traffic targeted for a jail need to 
> have firewall NAT rules by IP address and port number to forward just the 
> desired port number traffic to that jail?

No, if I've understood your networking configuration correctly, you won't 
need NAT.

If your jail were assigned only an internal, private IP address, then 
getting traffic destined for your public, static IP to the jail and back 
would require NAT.

Happiness to you Ernie,

More information about the freebsd-questions mailing list