Jeremie Le Hen wrote: >Hi Emanuel, > > > >>will it be possible to define a different default gateway for a jail? >>Imagine a system with two interfaces, one for the host on a local GbE >>Switch (with NFS service) and the other one connected to a different >>DMZ-Switch which should serve different jails. >>Now the DMZ is useless since anybody who broke into one jail can reach all >>hosts on the "host" interface without having the possibillity to restrict >>traffic on the router since the packets go straight to the GbE interface. >>This is a big security disadvantage and if I block these packets I can't >>any longer connect from machines inside the GbE network to the jails in >>the DMZ. The request will be routed but answers go down the "host" >>interface, instead to the DMZ router interface. Even a different default >>gateway wouldn't help in this case, the kernel had to "keep in mind" that >>packets from a jail mustn't be forwarded through any jail-foreign >>interface. Also the usual routing table had to be overwritten since >>packets from a jail should go over the router to the GbE network (although >>there is a well known route, the interface which has the GbE net >>configured). >>But at least packets from a jail should be limited that they can't pass any >>other interface(s) than the one(s) which belong to the particular jail. >>I think PFs route-to next-hop rule would be a workarround for my problem >>but I'm not too happy to have PF on a GbE Fileserver. >> >> > >I think you can use ipfw(8) as a workaround, since it knows about >jail IDs and can forward packets any IP address. Netgraph is maybe >an alternative, but I'm not sure about it. > > you are correct.. your best bet is to use the 'fwd' command of ipfw to send packets from the JAIL IP to a different gateway. >IMHO, hacking the IP stack in order to make it jail aware would lead >to a real mess. The right way to do this would be to have IP stack >virtualization, as it exists for RELENG_4 [1]. Unfortunately, this >is available neither for RELENG_5 nor CURRENT, and my coding skills >are clearly not good enough to do this. > > > >>Another jail question: Is it possible to limit resources on jail-basis? >>Like resource restrictions for useres in login.conf only for whole jails. >> >> > >AFAIK, no, this is not possible, this would need virtualization as well. > >[1] http://www.tel.fer.hr/zec/vimage/ >Regards, > >Received on Tue May 31 2005 - 15:40:38 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:35 UTC