Dave Cottlehuber wrote on 2019/03/01 12:43:
On Thu, 28 Feb 2019, at 11:59, Miroslav Lachman wrote:
Is there some easy way to determine the primary (source) address which
is used in jail with multiple IP addresses?
I came to this problem with running local_unbound in jail. Unbound
refuses queries originating in this jail because the do not come from
real 127.0.0.1 (which is the only one allowed by default). Unbound in
jail see requests come from jails IP. It is easy to determine (in shell
script) if jail has only one IP.
But what in case where jail has multiple IPs? Is there some sysctl or
some call to ifconfig or any other util to get the IP which will be used
as source address for queries on local services in jail?
Specifically for unbound, try interface-automatic and see if that helps.
interface-automatic: <yes or no>
Detect source interface on UDP queries and copy them to replies.
This feature is experimental, and needs support in your OS for
particular socket options. Default value is no.
# /etc/unbound/conf.d/secure.conf
server:
interface-automatic: yes
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
access-control: ::1/64 allow
access-control: ::/8 refuse
...
I dont use it quite the same way as you though, and it doesn't solve the
generic problem. I run a single unbound instance in the host system,
and only allow jails to resolve via that.
https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/
Thanks to all for the replies. It seems that is easier to list all
jail's IPs in the access-control with /32 mask than try to find the
source address.
I can live with it ;)
Miroslav Lachman
_______________________________________________
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
