Jack Raats wrote:
Hi,I'm looking for a good manual how to implement ipfw in and with jails. Google doesn't give anything usefull Thanks for your time
By default, the only way you can implement firewalling (either ipfw, ipf or pf) is within the host system -- it simply has not been possible to control firewalls from within a jail. Until now, that is. You will need to be running 8.0-RELEASE or a more recent version. You will also need to compile yourself a custom kernel with options VIMAGE This is /experimental/[*] code that allows each jail to have its own virtualised network stack aka "vnet", which includes being able to run aper-jail instance of firewalling software. According to
http://www.freebsd.org/releases/8.0R/relnotes-detailed.html#KERNEL You will need a commandline along the lines of the following to create a vnet enabled jail: # jail -c vnet name=vnet1 host.hostname=vnet1.example.net path=/ persist There's not much online discussion about this yet, but one key piece of information you will need is how to move a network interface into a jail -- look for the description of the 'vnet' option in ifconfig(8). You might also be interested in the new epair(4) driver, which is one step more complicated than a loopback interface in that it creates a back-to-back pair of synthetic ethernet interfaces. (The idea being that you move one end of the pair into a jail to give yourself a connection from the jail to the outside world.) Cheers, Matthew [*] As in: no refunds will be given. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
