From owner-freebsd-questions@freebsd.org Fri Dec 4 02:45:18 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A3A4A403E5 for ; Fri, 4 Dec 2015 02:45:18 +0000 (UTC) (envelope-from alexmiroslav@gmail.com) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 295681928 for ; Fri, 4 Dec 2015 02:45:18 +0000 (UTC) (envelope-from alexmiroslav@gmail.com) Received: by wmec201 with SMTP id c201so47511896wme.1 for ; Thu, 03 Dec 2015 18:45:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=1pvBceUCWddqy8E/I/D68Ey0LXn5QX/ZWeBiDe2qOtM=; b=wDRE3lBx1cI1D0v79cb0a2L0FT052K81or5OIFT1juTPon5zb0/DCNbT5VqM2WDANQ BkPEfyTYFNtQdoLVYDNz5grm5+Kt6WPwM1ZFvHUJ8CJ+4C1CEo3uq01MF5E9drFCH4Sr UwRVWR4e5ZXEENCmMZG1VZjrBTeXWO4oV++v91rtB4hIAOf9hJtRtzskdAuiomuIKH1S TKsJDU1dV3pBD1CYkJANcLe6fjwGJpHOGdtfkGtf8Z2WjJUI4XsG4jkFlKKYBLj/jdK4 BxyMitqb3t1CceIb70/eWe1j7xg3d86MzfdX53DPE7d+pbXLCso1IbLaeQ335/AhSx1V 83pQ== MIME-Version: 1.0 X-Received: by 10.28.126.197 with SMTP id z188mr2073546wmc.88.1449197116748; Thu, 03 Dec 2015 18:45:16 -0800 (PST) Received: by 10.28.162.16 with HTTP; Thu, 3 Dec 2015 18:45:16 -0800 (PST) In-Reply-To: <20151203073923.17dae0c41a2b5e29a5b3a3dd@sohara.org> References: <20151203073923.17dae0c41a2b5e29a5b3a3dd@sohara.org> Date: Thu, 3 Dec 2015 18:45:16 -0800 Message-ID: Subject: Re: best practice for locking down private jail? From: Aleksandr Miroslav To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2015 02:45:18 -0000 On Wed, Dec 2, 2015 at 11:39 PM, Steve O'Hara-Smith wrote: > I would set up two jails - one as the upload jail the other the web > server and use a cron job on the host to move verified mp3 files Excellent advice, I will do just that. > don't use Apache, use a minimalist web server that can only serve > static files (thttpd can be set up this way - there are others). thttpd doesn't look like it's been updated in a while, but a bit of Googling shows that lighttpd, nginx, and hiawatha are all small secure web servers. Any recommendations from these? > Finally I'd use pf to lock down the traffic so that nothing gets to > the jails that shouldn't. I only have redirects for both the web server jail and the file uploader jail that look like this: rdr pass on $EXT_NIC inet proto tcp from any to $PUBLIC_IP port = $JAIL_UPLOADER_SSH_EXTERNAL_PORT -> $JAIL_UPLOADER_IP port $JAIL_UPLOADER_SSH_PORT rdr pass on $EXT_NIC inet proto tcp from any to $PUBLIC_IP port = $JAIL_WEB_HTTP_EXTERNAL_PORT -> $JAIL_WEB_IP port $JAIL_WEB_HTTP_PORT And both jails are on private IPs that don't talk to each other or the outside host/world. Is this sufficient or should I add blocks for these private jails as well?