Jails and IPFW

Paul Procacci pprocacci at datapipe.com
Mon Dec 14 08:21:12 UTC 2009 

I hope I'm not misinterpreting your response.  Given what you stated,
then I perceive what you stated is correct.
Just a thought, but it might make sense for you to specify -J <name>
(man jail) via jail_<jname>_flags via rc.conf for each of your
configured jails.  Perhaps this would be easier on _you_ for future and
current administration of your firewall.

This would allow you to add a tad of logic to your firewall script that
grab a specific jail id and use it instead.  Also, this allows you to
move ip's without much trouble if you ever plan on doing so.  Here is an
example that I have for a jail that I've got trimmed to hopefully make
it easy on the eyes:

###############################################
rc.conf
--------------------
jail_xxx_flags="-J /var/jail/xxxx"

ipfw.conf
--------------------------
$cmd="ipfw -q"
$pif="bge0"
$xxx_id=`cut -f1 < /var/jail/xxx`

<snip>
$cmd 506 allow tcp from any to me 22,80,443 in via $pif setup jail
$xxx_id limit src-addr 6
<snip>
###############################################

Hope this gives ya some insight and/or potentially will make things
easier for ya.

~Paul

One suggestion however would be to use different rule numbers for these
rules as it could be a slight pain to modify later.
Jack Raats wrote:
> Hi Paul,
>
> I'll understand, but I want to run apache and ssh on both jails using their
> standard configs.
> (So they listen to every ip address and interface).
>
> From your answer I learn than ipfw has to run on the host machine like:
> $IPF 6000 pass tcp from any to $jail1 22,80 in
> $IPF 6000 pass tcp from any to $jail2 22,80 in
>
> Jack
>
> ----- Original Message -----
> From: "Paul Procacci" <pprocacci at datapipe.com>
> To: "Jack Raats" <jack at jarasoft.net>
> Cc: <freebsd-stable at freebsd.org>
> Sent: Monday, December 14, 2009 6:33 AM
> Subject: Re: Jails and IPFW
>
>
> If you are asking whether the root user of the jail can implement their
> own firewall, then no that is not possible.
> If you are asking whether you can use ipfw along side jails, then yes
> you can.  The administration of said firewall doesn't change one bit due
> to the introduction of a jail.
> So, if it's information pertaining to ipfw that you need then `man ipfw`
> is what you seek.
>
> ~Paul
>
>
> Jack Raats wrote:
>
>> Hi,
>>
>> I'm looking for a good manual how to implement ipfw in and with jails.
>> Google doesn't give anything usefull
>>
>> Thanks for your time
>>
>> Jack
>> _______________________________________________
>> freebsd-stable at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>>
>>
>
>
> This message may contain confidential or privileged information.  If you are
> not the intended recipient, please advise us immediately and delete this
> message.  See http://www.datapipe.com/emaildisclaimer.aspx for further
> information on confidentiality and the risks of non-secure electronic
> communication. If you cannot access these links, please notify us by reply
> message and we will send the contents to you.
>
>


This message may contain confidential or privileged information.  If you are not the intended recipient, please advise us immediately and delete this message.  See http://www.datapipe.com/emaildisclaimer.aspx for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you.

More information about the freebsd-stable mailing list