vnet jail for local only or public access
luzar722 at gmail.com
Fri Jul 17 12:46:10 UTC 2020
Trying to figure out how to configure a vnet jail so it is restricted to
only being able to talk to other vnet jails on the same host IE: local
only vnet jails. As different to being able to access the public
internet type of vnet jails.
Using the bridge/epair method of connecting vnet jails to the host.
[ based on this how-to ]
It's my understanding that this behavior is controlled by if the hosts
interface connected to the public internet is added as a member to the
bridge the vnet jails epairXa interfaces were members of.
I tested this on a remote vm and found that it made no difference one
way or the other if the hosts interface connected to the public internet
was added as a member to the bridge or not. In both cases the vnet jail
had public internet access.
On my home server I set up this scenario and observed the same behavior.
This behavior raises some questions.
Is it technically possible to segregate vnet jails into groups of vnet
jails that are restricted to local host only access and another group
that has public access?
If so what is the mechanism that controls this ability?
If I wanted both local only and public vnet jails on the same host I
would think each group would need its own bridge. Where do we go from there?
Is my understanding correct and this is a bug in if_bridge?
More information about the freebsd-questions