Jaily a jedna IP

Miroslav Prýmek m.prymek at gmail.com
Thu Jan 28 16:29:55 CET 2010

Previous message: Jaily a jedna IP
Next message: Jaily a jedna IP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>> 
>> Pokud se v jailech ma provozovat verejne dostupna sluzba, pak bude to NATovani asi rozumnym resenim.
>> 
>> Myslim, ze lze spoustet i vice jailu na stejne IP, ale pak si zase clovek musi lepe pohlidat, aby si omylem ve vice jailech nepustil sluzbu na stejnem portu - treba ssh (dokud jsou jaily na stejne IP, ale pouzivaji jine porty pro naslouchajici sluzby, melo by vse byt OK)
> 
> Ano, spustat viacej jailov na jednej IP je mozne a ja to tak bezne pouzivam. Napriklad klasicky web server s databazou mam rozdeleny na 3 jaily: server-web pre HTTP, server-sweb pre HTTPS a server-db pre DB. Vsetky na jednej IP adrese. Ak je k dispozicii iba jedna IP, tak na tej istej IP bezi aj host environment.
> 
> Samozrejme plati to co pisal ML, ze nejde prevadzkovat sluzby na rovnakom porte. Kazde SSH mam nastavene na iny port a napriklad server-db vobec nie je pristupny cez SSH.
> 
> Marian

Tak jsem to trochu zkousel a vypada to dobre, akorat mi neni uplne jasne, jak
vlastne funguje sitovani z jailu (a mezi nimi) a jestli jde nejak filtrovat.

Vytvoril jsem si tap rozhrani, na ktere ty jaily vesim (veseni na lo se mi nejak nezda).
rc.conf:
cloned_interfaces="tap0"
ifconfig_tap0="10.0.1.1 netmask 255.255.255.0"
ifconfig_tap0_alias0="10.0.1.2 netmask 255.255.255.0"
ifconfig_tap0_alias1="10.0.1.3 netmask 255.255.255.0"
ifconfig_tap0_alias2="10.0.1.4 netmask 255.255.255.0"

Firewall (PF) jsem zatim pro testovani nastavil takhle (PF pouzivam poprve,
takze kazdou pripominku rad privitam):

ext_if="fxp0"
jail_if="tap0"

smtp_master="10.0.1.2"
www_master="10.0.1.3"

rdr on $ext_if proto tcp to port http -> $www_master
rdr on $ext_if proto tcp to port https -> $www_master
rdr on $ext_if proto tcp to port smtp -> $smtp_master

tcp_services_main = "{ssh}"
tcp_services_jails = "{ssh, smtp, www}"

block log all
pass in on $ext_if proto tcp to ($ext_if) port $tcp_services_main
pass in on $ext_if proto tcp to ($jail_if) port $tcp_services_jails
pass out log on $ext_if all

Cekal bych, ze spojeni z jailu do Internetu bude blokovany, protoze jde pres tap0, ale neni tomu tak.

Kdyz v jailu spustim 
[www-master:~]# telnet 74.125.87.99 80
tak se normalne pripoji a v logu je:
001069 rule 12/0(match): pass out on fxp0: <IPcko fxp0>.61663 > 74.125.87.99.80:  tcp 36 [bad hdr length 4 - too short, < 20]

Rozhrani videno z jailu:
[www-master:~]# ifconfig 
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>                                <-------- IP tady neni, jak pres nej muze jit paket?
	ether XXXXXXXXXXX
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 00:bd:f2:39:00:00
	inet 10.0.1.2 netmask 0xffffff00 broadcast 10.0.1.255
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204

Jak si to mam vylozit? PF ignoruje tap rozhrani a nefiltruje tam? Cekal bych, ze paket pujde pres tap0 do fxp0 a pak teprve ven.

Jde teda nejak udelat filtrovani mezi jaily a popr. filtrovani toho, co muze jit ven z jailu?

diky za pomoc a sorry, pokud jsem uplne mimo ;)

Mirek

Previous message: Jaily a jedna IP
Next message: Jaily a jedna IP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list