惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
有赞技术团队
有赞技术团队
T
The Blog of Author Tim Ferriss
F
Fortinet All Blogs
D
DataBreaches.Net
F
Full Disclosure
腾讯CDC
博客园 - 【当耐特】
MyScale Blog
MyScale Blog
Stack Overflow Blog
Stack Overflow Blog
小众软件
小众软件
Hugging Face - Blog
Hugging Face - Blog
Last Week in AI
Last Week in AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
爱范儿
爱范儿
The GitHub Blog
The GitHub Blog
Engineering at Meta
Engineering at Meta
大猫的无限游戏
大猫的无限游戏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
SegmentFault 最新的问题
The Register - Security
The Register - Security
WordPress大学
WordPress大学
博客园 - 聂微东
雷峰网
雷峰网
J
Java Code Geeks
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Privacy International News Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
A
Arctic Wolf
Scott Helme
Scott Helme
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Tor Project blog
博客园 - 三生石上(FineUI控件)
Know Your Adversary
Know Your Adversary
AWS News Blog
AWS News Blog
G
Google Developers Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
C
CERT Recently Published Vulnerability Notes
O
OpenAI News
Project Zero
Project Zero
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Application and Cybersecurity Blog
Application and Cybersecurity Blog
云风的 BLOG
云风的 BLOG
N
News and Events Feed by Topic
MongoDB | Blog
MongoDB | Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Microsoft Security Blog
Microsoft Security Blog
Cisco Talos Blog
Cisco Talos Blog
P
Palo Alto Networks Blog
Schneier on Security
Schneier on Security

IT Notes - security

IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes
IT Notes
Stefano Marinelli · 2022-01-14 · via IT Notes - security

OVH (and Soyoustart, of course) network seem to be configured in a "strange" way and setting failover IPs isn’t always as straightforward as you think it should be.

Sometimes you want (or need) to assign a public IP address to a FreeBSD jail without playing with NAT but there’s not much documentation on how to do it inside a jail.

Let’s suppose your FreeBSD host server’s public IP address is 1.2.3.4 and your failover ip is 6.7.8.9.

First of all, go to your Control Panel (OVH/Soyoustart/etc.) and generate a MAC address for the failover public ip address you want to assign to your jail. Let’s assume it’s ca:fe:ca:fe:ca:fe

Now let’s go back to the FreeBSD host and take a note of its gateway (it should be 1.2.3.254, but double check), you’ll need it later.

Now it’s time to create the jail. I love BastilleBSD as it’s light, has no dependencies and is being actively developed. I won’t cover how to install and bootstrap Bastille in this article, for further information have a look at the official documentation.

We need VNET for this purpose, so our jail will have its own complete network stack. If you’ve read that VNET is unstable, you’ve found some old articles. Don’t worry, you can use it now, it's stable.

So, let’s create our jail. Using VNET, a bridge interface will be created and both your physical and your jailed network interfaces will be attached. Let’s suppose our physical host interface is “em0” and let's call our jail "p1":

bastille create -V p1 14.2-RELEASE 6.7.8.9 em0

We're asking Bastille to create a (-V) VNET jail, called p1, it should be a FreeBSD 14.2-RELEASE, its ip will be 6.7.8.9 and the created bridge will be attached to em0. The jail will be created & started, but we’re not ready to use it, yet.

Let's stop the jail:

bastille stop p1

Let’s now modify the jail.conf as we have to set the interface MAC address we’ve generated on the web panel.

You’ll have something like this:

…
vnet;
 vnet.interface = e0b_bastille0;
 exec.prestart += "jib addm bastille0 em0";
 exec.prestart += "ifconfig e0a_bastille0 description \"vnet host interface for Bastille jail p1\"";
 exec.poststop += "jib destroy bastille0"; 
}

Let’s add this line after the exec.prestart += "jib addm bastille0 em0”;

exec.prestart += "ifconfig e0a_bastille0 ether ca:fe:ca:fe:ca:fe”;

Now, let’s configure the network interface inside the jail as Bastille couldn't figure out the "strange" OVH network configuration. Let’s edit the jail’s rc.conf file. If you’ve not messed up with Bastille’s setup, it should be:

/usr/local/bastille/jails/p1/root/etc/rc.conf

Remove the network settings already set by Bastille and replace with something like this:

ifconfig_vnet0="inet 6.7.8.9 netmask 255.255.255.255 broadcast 6.7.8.9"
static_routes="ovh"
route_ovh="-net 1.2.3.254 -iface vnet0"
defaultrouter="1.2.3.254"

The gateway is outside the jail's netmask, so FreeBSD must be instructed to set a static route that will allow connections to flow out reaching the "foreign" gateway (1.2.3.254) via a specific network interface.

Save, exit and start the jail:

bastille start p1

Congratulations, you can ping your jail's public ip and your jail will reach the outside world via its public IP address.