# IPFW, Jail and network alias



## kazix (Dec 7, 2017)

Hello,

*I'*m trying to configure IPFW on machine with jail (FreeBSD 11.1)

Host have one big lagg0, and when jail starting create alias on this lagg0.


```
lagg0: flags=8843... metric 0 mtu 1500   options=401ba....
    ether ....
    inet 10.10.1.102 netmask 0xffffff00 broadcast 10.10.1.255 
    inet 10.10.1.139 netmask 0xffffffff broadcast 10.10.1.139 
    inet 10.10.1.141 netmask 0xffffffff broadcast 10.10.1.141 
    inet 10.10.1.25 netmask 0xffffffff broadcast 10.10.1.25 
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect
    status: active
    groups: lagg 
    laggproto lacp lagghash l2,l3,l4
    laggport: igb0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
    laggport: igb1 flags=0<>
    laggport: bce0 flags=0<>
```

jail_1 have 10.10.1.139 address
jail_2 have 10.10.1.139 address
...

*I* understand that *I* can*'*t run IPFW in jail, it must be on host machine 

*B*ut is any way to set rules per jail (network alias?)

example:

Jail_1 only incoming DNS, HTTP, HTTPS, ...
Jail_2 only incoming SMTP, IMAP, ...
...

Thanks for help 
kzx


----------



## ShelLuser (Dec 7, 2017)

Well, each jail needs to have its own IP address which you can use in the firewall of the host to control incoming traffic.


----------



## kazix (Dec 7, 2017)

*O*k, but how to write this rule in IPFW?

example:

```
pif="lagg0"
$cmd 00402 allow tcp from any to me 22 in via $pif
```

*H*ow should look this rule, if *I* want access ssh from any only to jail_1 (10.10.1.139)?


----------



## complexinput (Dec 9, 2017)

```
pif="lagg0"
$cmd 00402 allow tcp from any to me 22 in via $pif
```

Change "me" to the ip of the jail.


----------

