I hope I'm not misinterpreting your response. Given what you stated,
then I perceive what you stated is correct.
Just a thought, but it might make sense for you to specify -J <name>
(man jail) via jail_<jname>_flags via rc.conf for each of your
configured jails. Perhaps this would be easier on _you_ for future and
current administration of your firewall.
This would allow you to add a tad of logic to your firewall script that
grab a specific jail id and use it instead. Also, this allows you to
move ip's without much trouble if you ever plan on doing so. Here is an
example that I have for a jail that I've got trimmed to hopefully make
it easy on the eyes:
###############################################
rc.conf
--------------------
jail_xxx_flags="-J /var/jail/xxxx"
ipfw.conf
--------------------------
$cmd="ipfw -q"
$pif="bge0"
$xxx_id=`cut -f1 < /var/jail/xxx`
<snip>
$cmd 506 allow tcp from any to me 22,80,443 in via $pif setup jail
$xxx_id limit src-addr 6
<snip>
###############################################
Hope this gives ya some insight and/or potentially will make things
easier for ya.
~Paul
One suggestion however would be to use different rule numbers for these
rules as it could be a slight pain to modify later.
Jack Raats wrote:
Hi Paul,
I'll understand, but I want to run apache and ssh on both jails using their
standard configs.
(So they listen to every ip address and interface).
From your answer I learn than ipfw has to run on the host machine like:
$IPF 6000 pass tcp from any to $jail1 22,80 in
$IPF 6000 pass tcp from any to $jail2 22,80 in
Jack
----- Original Message -----
From: "Paul Procacci" <pproca...@datapipe.com>
To: "Jack Raats" <j...@jarasoft.net>
Cc: <freebsd-stable@freebsd.org>
Sent: Monday, December 14, 2009 6:33 AM
Subject: Re: Jails and IPFW
If you are asking whether the root user of the jail can implement their
own firewall, then no that is not possible.
If you are asking whether you can use ipfw along side jails, then yes
you can. The administration of said firewall doesn't change one bit due
to the introduction of a jail.
So, if it's information pertaining to ipfw that you need then `man ipfw`
is what you seek.
~Paul
Jack Raats wrote:
Hi,
I'm looking for a good manual how to implement ipfw in and with jails.
Google doesn't give anything usefull
Thanks for your time
Jack
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
This message may contain confidential or privileged information. If you are
not the intended recipient, please advise us immediately and delete this
message. See http://www.datapipe.com/emaildisclaimer.aspx for further
information on confidentiality and the risks of non-secure electronic
communication. If you cannot access these links, please notify us by reply
message and we will send the contents to you.
This message may contain confidential or privileged information. If you are
not the intended recipient, please advise us immediately and delete this
message. See http://www.datapipe.com/emaildisclaimer.aspx for further
information on confidentiality and the risks of non-secure electronic
communication. If you cannot access these links, please notify us by reply
message and we will send the contents to you.
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
