David Allen wrote:
There was a post recently (Matthew Seaman's name comes to mind) that suggested binding jails to addresses in the loopback range and then using firewall rules to redirect the traffic accordingly. There's a possibility that may help in this case, but that layer of added complexity isn't much of an improvement over seeing connections with seemingly identical endpoints and interpreting the results in my head.
Guilty as charged M'lud.However what I recommended was a more-than-slightly hacky way to achieve three things:
* Something like a loopback address inside the jail. It may be
127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
to use it for loopback style things.
* The ability to map several IPs onto the jailed system by use of
NAT and redirect within firewall rules
* The ability to have a jail with /no/ external IP for when the
paranoia becomes unbearable[*].
Of course, all this will be immediately obsoleted by Marco Zec's work
on virtualizing the IP stack. http://imunes.tel.fer.hr/virtnet/
Cheers,
Matthew
[*] Combine this with a Hardware Load Balancer that does Direct Server
Return and you can have a publicly accessible jailed server with /no
external IP address/.
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
