Josef Karthauser <joe_at_freebsd.org> wrote: > Dear current folk, I'm forwarding this thread from the -net list where I > asked the question, is it possible to have more than one IP address in a > jail? The answer is yes, with Pawel's patch. The question here is can > I pursuade anyone to commit this to head and MFC it please? The > motivation is simple. I need to run a second SSL web server inside of a > jail, however that needs another IP address because SSL is incompatible > with HTTP/1.1. There are several solutions to that problem, even with a single IP address within the jail. The simplest solution is probably to give the jail an internal IP address (such as 10.0.0.1, or even a localhost address such as 127.0.0.2), put the SSL servers on multiple different port addresses, and use IPFW FWD rules to forward packets to the appropriate ports within the jail (you'll also need a NAT rule to fix the source in outgoing packets). I think PF provides similar functionality if you don't want to use IPFW. For example (FWD rules): 40.30.20.10:443 --> 127.0.0.2:10443 40.30.20.11:443 --> 127.0.0.2:11443 40.30.20.12:443 --> 127.0.0.2:12443 In that example, 40.30.20.* are the official IP addresses, and 127.0.0.2 is the jail's address. Such a solution has several advantages: - The jail doesn't have an official, routable IP at all (security!). - There's no limit on the number of SSL servers per jail (despite the jail having only one IP address). - The SSL servers can be bound to ports > 1024, so they can be run as non-privileged user right from the start. - Works on standard FreeBSD 4.x, 5.x, 6.x. However, there are certainly other situations where it would be useful to be able to have multiple IP addresses per jail, or even a completely virtualized IP stack and routing table per jail. Therefore I wouldn't mind if such a patch gets commited. :-) Just my 2 cents. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "The scanf() function is a large and complex beast that often does something almost but not quite entirely unlike what you desired." -- Chris TorekReceived on Tue Aug 01 2006 - 07:57:45 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:58 UTC