Jails and IPFW

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Dec 14 08:28:38 UTC 2009 

Jack Raats wrote:
> Hi,
> 
> I'm looking for a good manual how to implement ipfw in and with jails.
> Google doesn't give anything usefull
> 
> Thanks for your time

By default, the only way you can implement firewalling (either ipfw, ipf
or pf) is within the host system -- it simply has not been possible to
control firewalls from within a jail.

Until now, that is.

You will need to be running 8.0-RELEASE or a more recent version. You will
also need to compile yourself a custom kernel with

   options VIMAGE

This is /experimental/[*] code that allows each jail to have its own
virtualised network stack aka "vnet", which includes being able to run a
per-jail instance of firewalling software.  According to 

http://www.freebsd.org/releases/8.0R/relnotes-detailed.html#KERNEL

You will need a commandline along the lines of the following to create
a vnet enabled jail:

   # jail -c vnet name=vnet1 host.hostname=vnet1.example.net path=/ persist

There's not much online discussion about this yet, but one key piece of
information you will need is how to move a network interface into a jail --
look for the description of the 'vnet' option in ifconfig(8).  You might
also be interested in the new epair(4) driver, which is one step more
complicated than a loopback interface in that it creates a back-to-back
pair of synthetic ethernet interfaces. (The idea being that you move one
end of the pair into a jail to give yourself a connection from the jail to
the outside world.)

	Cheers,

	Matthew

[*] As in: no refunds will be given.

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20091214/77da787d/signature.pgp

More information about the freebsd-stable mailing list