Re: Can I pursuade someone to commit this patch? (Re: Multiple IP ?addresses in a jail.)

From: Oliver Fromme <olli_at_lurza.secnetix.de>
Date: Tue, 1 Aug 2006 11:57:37 +0200 (CEST)
Josef Karthauser <joe_at_freebsd.org> wrote:
 > Dear current folk, I'm forwarding this thread from the -net list where I
 > asked the question, is it possible to have more than one IP address in a
 > jail?  The answer is yes, with Pawel's patch.  The question here is can
 > I pursuade anyone to commit this to head and MFC it please?  The
 > motivation is simple.  I need to run a second SSL web server inside of a
 > jail, however that needs another IP address because SSL is incompatible
 > with HTTP/1.1.

There are several solutions to that problem, even with a
single IP address within the jail.

The simplest solution is probably to give the jail an
internal IP address (such as 10.0.0.1, or even a localhost
address such as 127.0.0.2), put the SSL servers on multiple
different port addresses, and use IPFW FWD rules to forward
packets to the appropriate ports within the jail (you'll
also need a NAT rule to fix the source in outgoing packets).
I think PF provides similar functionality if you don't want
to use IPFW.

For example (FWD rules):

40.30.20.10:443  -->  127.0.0.2:10443
40.30.20.11:443  -->  127.0.0.2:11443
40.30.20.12:443  -->  127.0.0.2:12443

In that example, 40.30.20.* are the official IP addresses,
and 127.0.0.2 is the jail's address.  Such a solution has
several advantages:
 - The jail doesn't have an official, routable IP at all
   (security!).
 - There's no limit on the number of SSL servers per jail
   (despite the jail having only one IP address).
 - The SSL servers can be bound to ports > 1024, so they
   can be run as non-privileged user right from the start.
 - Works on standard FreeBSD 4.x, 5.x, 6.x.

However, there are certainly other situations where it would
be useful to be able to have multiple IP addresses per jail,
or even a completely virtualized IP stack and routing table
per jail.  Therefore I wouldn't mind if such a patch gets
commited.  :-)

Just my 2 cents.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"The scanf() function is a large and complex beast that often does
something almost but not quite entirely unlike what you desired."
        -- Chris Torek
Received on Tue Aug 01 2006 - 07:57:45 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:58 UTC