Jails and networks

Norman Gray norman.gray at glasgow.ac.uk
Sun Aug 26 18:19:43 UTC 2018

Dave and other spectators, hello.

On 25 Aug 2018, at 16:21, Dave Cottlehuber wrote:

> Your jail needs to have some way to send & receive traffic via the
> host to the internet. Just adding a address to the 
> external
> igb0 interface will only work if the adjacent router allows that, and
> it almost certainly won't by default.
> This means you need either NAT or routing on your system to take
> care of this for you.

*sigh* this was the problem.  The host is on a private 
network (which routes to the internet), the jails were on, and there was no routing between them.  I added (the 
commented equivalent of)

     jail_net = $jail_if:network
     internet = $ext_if:network
     scrub in all
     nat pass on $ext_if from $jail_net to any -> $internet
     pass out
     pass in

to /etc/pf.conf, and I can now happily route from the jail to the World 
Wide Web of Wonderfulness.


This is of course fairly obvious in retrospect.

In production, these jails will have to talk only to the host (they'll 
be Ceph nodes), but of course when experimenting, and when setting 
things up, they'll have to be able to see further afield.  I had the 
endpoint (too) firmly in mind when I started on the sub-problem of 
learning about jails, so I never reexamined the slightly unusual network 
environment I had initially set up for myself.

Moral: when you cut down the problem to make it easier to understand, 
make sure the sub-problem is actually simpler.  Step further back.

In my original list post, I even said, apropos one of the most useful 
resources I found, 'Now, I don't think I need pf in my situation, so I 
want to skip that part of the instructions.'  Did I mention: *sigh*?

Moral: when you skip part of the instructions, be _really_ clear why 
they were there in the first place.

I have a clearer idea of jails+interfaces than I had: jails are much 
less magical than I thought going in to this, and in particular the set 
of interfaces in the jail is (roughly) merely a tweaked version of the 

I confess I'm still unclear why I don't see a default route in `netstat 
-rn` within the jail, and that `telnet www.gla.ac.uk 80` works but 
`route get www.gla.ac.uk` claims there is no route.  But perhaps I'll 
leave that mystery for another day.

But at least I got to spend some quality time with Stevens' IP book, so 
that was good.

Thanks again to all who gave advice, and best wishes,


Norman Gray  :  https://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK

More information about the freebsd-questions mailing list