[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] ezjail and ipfw



Jack,

Situation:
You have host with 3 ip's: xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy and zzz.zzz.zzz.zzz

You have 2 jails: one assigned to xxx.xxx.xxx.xxx and another has both remaning ip's. If you will start apache in first jail it will bind to xxx.xxx.xxx.xxx by default. Only one ip, coz its the one assigned to jail. If you will start apache in second jail it will bind to yyy.yyy.yyy.yyy and zzz.zzz.zzz.zzz - they are both attached to second jail. They wont try to bind to each other's ip's coz they dont even see them from iside jail. You dont need firewall for that.

Ruben

Jack Raats wrote:
Ruben,

This would mean that I have to change e.g. every httpd.conf of Apache to
listen to the IP address assigned. The problem is that the jails are
maintained by someone else.
I somewhere read that this could be prevented bye u8sing the firewall.

Jack





Jack,

services inside jail will only listen to  addresses assigned to jail.
They wont try to listen to any other system address. All you should take
care of are host services (i had to make changes to ssh and ntpd configs
myself).

Ruben

Jack Raats wrote:
I know. Every jail has it's own ip address

When creating jails using ezjail-admin you'll get a list of ports
allready used by the system.
e.g. port 22 is being used by sshd on the host machine and also in the
jail.
To accomplish this you have to change the configs of sshd to listen to
their own ip-address and not all addresses.

Is it possible to use the standard configs (listen to all adresses)
using ipfw so that the jail can listen to all addresses in its configs
while in fact it only listen to its own ip address.

Thanks

Jack




----- Original Message ----- From: "Ruben Arutyunyan"
<ruben_arutyunyan AT shl DOT ru>
To: <ezjail AT erdgeist DOT org>
Sent: Monday, December 14, 2009 7:21 AM
Subject: Re: [ezjail] ezjail and ipfw


Jack,

as far as i know every ip address in system can be used by maximum
one jail. You cant make all jails listen on all ports.

Ruben

Jack Raats wrote:
Ruben,

I alllready read that part of the handbook, but it doesn't explain
how to use ipfw in a jail.
I want ipfw to separate the two jails so that every jail can use the
standard configs (to listen to all ipadresses and all ports)

Thanks for your answer!

Jack



----- Original Message ----- From: "Ruben Arutyunyan"
<ruben_arutyunyan AT shl DOT ru>
To: <ezjail AT erdgeist DOT org>
Sent: Monday, December 14, 2009 7:16 AM
Subject: Re: [ezjail] ezjail and ipfw


Hello,

have a look
http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html

Ruben

Jack Raats wrote:
Hi,
 I'm looking for a good manual how to implement ipfw in and with
jails.
Google doesn't give anything usefull.
 The (ez)jail is running without any problem, but how to implement
ipfw.
On the host machine? How?
 Thanks for your time
 Jack