From owner-freebsd-questions@FreeBSD.ORG Thu Sep 18 12:34:25 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7D529C31 for ; Thu, 18 Sep 2014 12:34:25 +0000 (UTC) Received: from new1-smtp.messagingengine.com (new1-smtp.messagingengine.com [66.111.4.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F586C56 for ; Thu, 18 Sep 2014 12:34:25 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by gateway2.nyi.internal (Postfix) with ESMTP id C25FDD21 for ; Thu, 18 Sep 2014 08:34:23 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Thu, 18 Sep 2014 08:34:23 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:in-reply-to:references :subject:date; s=smtpout; bh=u5cvRAfsiNIXwk+ztAzk4Mi62Qc=; b=Srz W+gVB3SOD8v38FQiSAV9Uzh/uw6b9uLTW/1NOpucV3lj00gSMpyZqMtHrxV+FRbU MQDvP+LrRrMzafkUQ5T4XEfHXqvD3orRurpcBr+vkZY2MUfFIDesRMYPDP5+o4I4 yyc9cOH1mothy+UQ3RxlgNttR7bYoeqkqQhP0hkU= Received: by web3.nyi.internal (Postfix, from userid 99) id 893B710EE90; Thu, 18 Sep 2014 08:34:23 -0400 (EDT) Message-Id: <1411043663.650970.168986121.79B70425@webmail.messagingengine.com> X-Sasl-Enc: DkOxLx/79cxchVBM+HVuvu/jEVicyBcUVNDdobLavkmp 1411043663 From: Mark Felder To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-68d12f42 In-Reply-To: <5419A071.2080800@tysdomain.com> References: <5419A071.2080800@tysdomain.com> Subject: Re: jails, IPS and firewalls, oh my! Date: Thu, 18 Sep 2014 07:34:23 -0500 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2014 12:34:25 -0000 On Wed, Sep 17, 2014, at 09:53, Littlefield, Tyler wrote: > > So, on the advice of others who know BSD a lot more than I do I tried a > few things. Mainly I assigned the IP to a jail and tried to firewall it > off. The IP address though still is being used by em0, which means that > even if I open port 80 it will point to my main server and not the jail. > But the process listening on port 80 is in the jail, which is really all that matters in this scenario. It's possible for you to assign an IP to the jail and have zero services outside the jail listening on that IP. This should cover your concerns as well. If you really want an "interface" that is only assigned to the jail you'll have to look at using VNET jails. Failing that, perhaps run a full FreeBSD bhyve VM instead?