how to make a non-vnet jail local only?

Ernie Luzar luzar722 at gmail.com
Thu Aug 6 11:44:00 UTC 2020


Shane Ambler wrote:
> On 6/8/20 1:39 am, Arthur Chance wrote:
>> On 05/08/2020 15:17, Ernie Luzar wrote:
>>> Arthur Chance wrote:
>>>> On 05/08/2020 02:02, Ernie Luzar wrote:
>>>>> I have non-vnet jails working that can reach the public internet.
>>>>> But now I would like to make some local only non-vnet jails that can
>>>>> only access other local only non-vnet jails. BY local meaning have no
>>>>> access to the public internet.
>>>>>
>>>>> How do I make this happen?
>>>>>
>>>>> Thanks for any pointers.
>>>> Create a second loopback interface (cloned_interfaces="lo1" in
>>>> /etc/rc.conf or ifconfig lo1 create for manual control) and put the
>>>> local jails on lo1 without access to any other interface.
>>>>
>>> I tested this already and it doesn't work.
>>>
>>> non-vnet jail with lo99 for the nic and ip address of 10.0.28.5 can
>>> still reach the public internet.
> 
> Do you have bridging or routing enabled?
> 
> Routing can receive foreign packets on an interface and route them to a
> different interface.
> 
> Bridging connects interfaces, sending the same packets on each.
> 
> 
> While I don't have jails setup, I use sysutils/vm-bhyve for bhyve
> instances. I have two "vm switches" which are bridge interfaces
> connecting bhyve instances with physical interfaces, one bridges with
> wlan0 and allows a vm to get internet access, the second bridges with
> re0, which has no physical connection and provides no internet access to
> bhyve instances, but I can ssh into it from the host.
> 
> I have -
> net.link.bridge.ipfw: 0
> net.link.bridge.ipfw_arp: 0
> net.link.bridge.pfil_bridge: 1
> net.link.bridge.pfil_onlyip: 1
> net.inet.ip.sourceroute: 0
> 

Using 12.1 generic with the system default for those settings.


More information about the freebsd-questions mailing list