Jails and networks

Dave Cottlehuber dch at skunkwerks.at
Sat Aug 25 15:21:14 UTC 2018

On Thu, 23 Aug 2018, at 20:44, Norman Gray wrote:
> Greetings.
>    * A forum post [3] describes setting up a jail using ezjail and pf.
> Now, I don't think I need pf in my situation, so I want to skip that
> part of the instructions.  But I now suspect I'm doing so naively.
> My host is on a private network, which is routable
> locally, though it has to use a proxy to get to the web.  I want to set
> up a jail on (slightly at random)

Your jail needs to have some way to send & receive traffic via the
host to the internet. Just adding a address to the external
igb0 interface will only work if the adjacent router allows that, and
it almost certainly won't by default.

This means you need either NAT or routing on your system to take
care of this for you.

You might try your initial jail setup with a address from
the same pool as your host, ensuring that the IP address is already
free, and then you can work through the other issues that crop up,
but soon you'll want pf for the jails on their own RFC1928 private

I am no pf expert but something like this might be all you need:

# /etc/rc.conf additions
# jail networks
cloned_interfaces="${cloned_interfaces} lo1"
# provide a single IP for the jail using the IP you already chose
# provide additional 2 IPs for other jails
# and reboot

# /etc/pf.conf
# and `service pf start`

# interfaces
extl_if = "igb0"
jail_if = "lo1"

# networks
jail_net = $jail_if:network
internet = $extl_if:network

# clean packets are happy packets
scrub in all

# jails are allowed outbound connections but not inbound
# these should be set up explicitly using spiped or haproxy
nat on $extl_if proto tcp from   $jail_net to any -> ($extl_if)


More information about the freebsd-questions mailing list