惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
月光博客
月光博客
T
Threat Research - Cisco Blogs
小众软件
小众软件
有赞技术团队
有赞技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
Apple Machine Learning Research
Apple Machine Learning Research
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Tailwind CSS Blog
Cisco Talos Blog
Cisco Talos Blog
V
V2EX
博客园 - 【当耐特】
C
Cybersecurity and Infrastructure Security Agency CISA
Hugging Face - Blog
Hugging Face - Blog
The Cloudflare Blog
The Last Watchdog
The Last Watchdog
Simon Willison's Weblog
Simon Willison's Weblog
T
Threatpost
S
Secure Thoughts
O
OpenAI News
P
Proofpoint News Feed
S
SegmentFault 最新的问题
Forbes - Security
Forbes - Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Application and Cybersecurity Blog
Application and Cybersecurity Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Last Week in AI
Last Week in AI
宝玉的分享
宝玉的分享
Scott Helme
Scott Helme
T
Tenable Blog
A
Arctic Wolf
L
LINUX DO - 热门话题
爱范儿
爱范儿
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
www.infosecurity-magazine.com
www.infosecurity-magazine.com
V
Visual Studio Blog
Hacker News: Ask HN
Hacker News: Ask HN
Hacker News - Newest:
Hacker News - Newest: "LLM"
腾讯CDC
博客园 - Franky
WordPress大学
WordPress大学
Know Your Adversary
Know Your Adversary
博客园_首页
雷峰网
雷峰网
IT之家
IT之家
PCI Perspectives
PCI Perspectives
L
LINUX DO - 最新话题
H
Heimdal Security Blog

IT Notes - ovh

IT Notes
IT Notes
Stefano Marinelli · 2022-01-14 · via IT Notes - ovh

OVH (and Soyoustart, of course) network seem to be configured in a "strange" way and setting failover IPs isn’t always as straightforward as you think it should be.

Sometimes you want (or need) to assign a public IP address to a FreeBSD jail without playing with NAT but there’s not much documentation on how to do it inside a jail.

Let’s suppose your FreeBSD host server’s public IP address is 1.2.3.4 and your failover ip is 6.7.8.9.

First of all, go to your Control Panel (OVH/Soyoustart/etc.) and generate a MAC address for the failover public ip address you want to assign to your jail. Let’s assume it’s ca:fe:ca:fe:ca:fe

Now let’s go back to the FreeBSD host and take a note of its gateway (it should be 1.2.3.254, but double check), you’ll need it later.

Now it’s time to create the jail. I love BastilleBSD as it’s light, has no dependencies and is being actively developed. I won’t cover how to install and bootstrap Bastille in this article, for further information have a look at the official documentation.

We need VNET for this purpose, so our jail will have its own complete network stack. If you’ve read that VNET is unstable, you’ve found some old articles. Don’t worry, you can use it now, it's stable.

So, let’s create our jail. Using VNET, a bridge interface will be created and both your physical and your jailed network interfaces will be attached. Let’s suppose our physical host interface is “em0” and let's call our jail "p1":

bastille create -V p1 14.2-RELEASE 6.7.8.9 em0

We're asking Bastille to create a (-V) VNET jail, called p1, it should be a FreeBSD 14.2-RELEASE, its ip will be 6.7.8.9 and the created bridge will be attached to em0. The jail will be created & started, but we’re not ready to use it, yet.

Let's stop the jail:

bastille stop p1

Let’s now modify the jail.conf as we have to set the interface MAC address we’ve generated on the web panel.

You’ll have something like this:

…
vnet;
 vnet.interface = e0b_bastille0;
 exec.prestart += "jib addm bastille0 em0";
 exec.prestart += "ifconfig e0a_bastille0 description \"vnet host interface for Bastille jail p1\"";
 exec.poststop += "jib destroy bastille0"; 
}

Let’s add this line after the exec.prestart += "jib addm bastille0 em0”;

exec.prestart += "ifconfig e0a_bastille0 ether ca:fe:ca:fe:ca:fe”;

Now, let’s configure the network interface inside the jail as Bastille couldn't figure out the "strange" OVH network configuration. Let’s edit the jail’s rc.conf file. If you’ve not messed up with Bastille’s setup, it should be:

/usr/local/bastille/jails/p1/root/etc/rc.conf

Remove the network settings already set by Bastille and replace with something like this:

ifconfig_vnet0="inet 6.7.8.9 netmask 255.255.255.255 broadcast 6.7.8.9"
static_routes="ovh"
route_ovh="-net 1.2.3.254 -iface vnet0"
defaultrouter="1.2.3.254"

The gateway is outside the jail's netmask, so FreeBSD must be instructed to set a static route that will allow connections to flow out reaching the "foreign" gateway (1.2.3.254) via a specific network interface.

Save, exit and start the jail:

bastille start p1

Congratulations, you can ping your jail's public ip and your jail will reach the outside world via its public IP address.