Re: different default gateway for jails planed/possible?

From: Julian Elischer <julian_at_elischer.org>
Date: Tue, 31 May 2005 10:40:37 -0700
Jeremie Le Hen wrote:

>Hi Emanuel,
>
>  
>
>>will it be possible to define a different default gateway for a jail?
>>Imagine a system with two interfaces, one for the host on a local GbE 
>>Switch (with NFS service) and the other one connected to a different 
>>DMZ-Switch which should serve different jails.
>>Now the DMZ is useless since anybody who broke into one jail can reach all 
>>hosts on the "host" interface without having the possibillity to restrict 
>>traffic on the router since the packets go straight to the GbE interface. 
>>This is a big security disadvantage and if I block these packets I can't 
>>any longer connect from machines inside the GbE network to the jails in 
>>the DMZ. The request will be routed but answers go down the "host" 
>>interface, instead to the DMZ router interface. Even a different default 
>>gateway wouldn't help in this case, the kernel had to "keep in mind" that 
>>packets from a jail mustn't be forwarded through any jail-foreign 
>>interface. Also the usual routing table had to be overwritten since 
>>packets from a jail should go over the router to the GbE network (although 
>>there is a well known route, the interface which has the GbE net 
>>configured).
>>But at least packets from a jail should be limited that they can't pass any 
>>other interface(s) than the one(s) which belong to the particular jail.
>>I think PFs route-to next-hop rule would be a workarround for my problem  
>>but I'm not too happy to have PF on a GbE Fileserver.
>>    
>>
>
>I think you can use ipfw(8) as a workaround, since it knows about
>jail IDs and can forward packets any IP address.  Netgraph is maybe
>an alternative, but I'm not sure about it.
>  
>

you are correct..
your best bet is to use the 'fwd' command of ipfw to send packets from 
the JAIL IP
to a different gateway.

>IMHO, hacking the IP stack in order to make it jail aware would lead
>to a real mess.  The right way to do this would be to have IP stack
>virtualization, as it exists for RELENG_4 [1].  Unfortunately, this
>is available neither for RELENG_5 nor CURRENT, and my coding skills
>are clearly not good enough to do this.
>
>  
>
>>Another jail question: Is it possible to limit resources on jail-basis? 
>>Like resource restrictions for useres in login.conf only for whole jails.
>>    
>>
>
>AFAIK, no, this is not possible, this would need virtualization as well.
>
>[1] http://www.tel.fer.hr/zec/vimage/
>Regards,
>  
>
Received on Tue May 31 2005 - 15:40:38 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:35 UTC