I want to throw all services from the host system and put them in jails.
Unfortunatly this doesn't work for file sharing (e.g. nfsd) because the jails don't have there own network stack by default. I know read something about vimage which would solve this issue.
See more in this thread: http://forums.freebsd.org/showthread.php?t=9006
The use of vimage with raw jails should use moreorless but the use with vimage and ezjail makes it hard.
Does anyone have experience about this topic and wants to share it?
Regards
Best Answer
I'll dig up this bone for anyone who is curious. What I have done in the past is build a jail for each service I want isolated, and then ensure PF is running on the host (un-jailed). Then I can prevent inter-jail communication by either assigning the hosts the same lo1 interface but with separate /32 network addresses, or assigning them separate loopback interfaces.
Then you can ensure PF isn't skipping any interfaces, like they talk about here: https://forums.freebsd.org/threads/41263/.
Unfortunately, I do not have any experience with vimage or ezjail.
-gns