I'm setting up a server environment where I've got a bunch of jails running using aliased IPs on the same interface. I'd like to be able to use ipfw to place limits on the traffic between jails, but I'm running into problems. When I use tcpdump to look at TCP traffic from one jail to another, it shows both the source and destination IP for the packets as being the IP assigned to the jail which the connection is made to. When I look at UDP traffic (again using tcpdump) I see both the source and detination IP being that of the jail IP the particular packet is destined for. Given the situation above, is it possible for ipfw to distinguish which jails are involved in a packet exchange? I've wondered about giving each jail its own pseudo-interface. Are there any problems with creating many pseudo-interfaces like this? What sort of interface should I use? You apparently can't create multiple loopback interfaces which would be the obvious choice (ie `ifconfig lo1 create` does not work). The interface types I know about that allow creation of pseudo-interfaces are tunnel type interfaces which don't really suit this purpose. Is there something suitable? Given that packets are coming from a jail, is the packet construction I'm seeing correct, or should this be considered a bug? Andrew McNaughton -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton In Sydney Working on a Product Recommender System andrew@scoop.co.nz Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc