Date: Sun, 7 May 2006 13:17:29 -0700 (PDT) From: Bigby Findrake <bigby@ephemeron.org> To: freebsd-security@freebsd.org, nospam@mgedv.net Subject: Re: Jails and loopback interfaces Message-ID: <20060505142945.J26390@home.ephemeron.org> In-Reply-To: <200605041415.k44EFYKF043028@lurza.secnetix.de> References: <200605041415.k44EFYKF043028@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 4 May 2006, Oliver Fromme wrote:
> No@SPAM@mgEDV.net <nospam@mgedv.net> wrote:
> >
> > > I recently did something like this. I have a webserver in a jail that
> > > needs to talk to a database, and the webserver is the only thing that
> > > should talk to the databse.
> >
> > > My solution was to use 2 jails: one for the webserver, and another for the
> >
> > > database.
> >
> > > Jail 1:
> > > * runs webserver
> > > * binds to real interface with real, routable IP
> >
> > > Jail 2:
> > > * runs database server
> > > * binds to loopback interface, isn't directly reachable
> > > from outside the box
> >
> > just to clarify that for me: you did setup this layout or you
> > tried to setup this? as i read it, i understand that you did!
> >
> > i tried exactly the same but currently jails are bound to the specific
> > ip-address assigned with them so i wonder, how the webserver on a real
> > ip-address can communicate with the database bound to the loopback ip?
> > if you could kindly tell, how you solved this issue (we're using 6.1).
>
> In fact, it is a good idea to _always_ bind jails to non-
> routable loopback IPs. For example:
>
> jail 1 (webserver) on 127.0.0.2
> jail 2 (database) on 127.0.0.3
>
> If a service needs to be accessible from the outside, you
> can use IPFW FWD rules to forward packets destined to the
> real IP to the jail's loopback IP.
Wouldn't you need to use some form of NAT and not forwarding? This is
from IPFW(8) (6.0-RELEASE):
The fwd action does not change the contents of the packet at all.
In particular, the destination address remains unmodified, so
packets forwarded to another system will usually be rejected by
that system unless there is a matching rule on that system to
capture them. For packets forwarded locally, the local address
of the socket will be set to the original destination address of
the packet.
It seems to me that the jail might reject the packets, and even if it
didn't, would the replies from the jail get the right source address put
on them? I haven't tried what you're talking about, so I'm just guessing.
Forwarding doesn't seem to be the way to accomplish what you're talking
about.
/-------------------------------------------------------------------------/
A train stops at a train station, a bus stops at a bus
station. On my desk, I have a workstation...
finger://bigby@ephemeron.org
http://www.ephemeron.org/~bigby/
irc://irc.ephemeron.org/#the_pub
news://news.ephemeron.org/alt.lemurs
/-------------------------------------------------------------------------/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060505142945.J26390>