Date: Thu, 4 May 2006 17:07:15 +0200 From: "No@SPAM@mgEDV.net" <nospam@mgedv.net> To: <freebsd-security@FreeBSD.ORG> Cc: 'Oliver Fromme' <olli@lurza.secnetix.de> Subject: RE: Jails and loopback interfaces Message-ID: <001401c66f8c$6dd0e8b0$01010101@avalon.lan> In-Reply-To: <200605041415.k44EFYKF043028@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> In fact, it is a good idea to _always_ bind jails to non- > routable loopback IPs. For example: > jail 1 (webserver) on 127.0.0.2 > jail 2 (database) on 127.0.0.3 > If a service needs to be accessible from the outside, you > can use IPFW FWD rules to forward packets destined to the > real IP to the jail's loopback IP. ok, technically i get this, but wouldn't it confuse the daemons and slow down the network connections if i use packet forwarding for each packet let's say a daemon reads from syslog-services and writes to databases? > Of course there's no problem accessing the database from > the webserver. Note that you have complete control over > who can access what, by using your favourite packet filter > (IPFW, IPF, PF). this part i definitely don't get. let's assume this one: 192.168.10.1 = jail ip of the ws 127.0.0.1 = jail ip of the db sending to 127.0.0.1 is not possible on 192.168.134.1 (kernel re-routes it to 192.168.134.1 if man jail is correct) if i setup forwarding rules i'd have to setup something for the real ip's port, no? and, i assumed that the setup mentioned can live without additional firewall rules. i for sure have some "what the hell... how-to" problem with jails, currently ;-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001401c66f8c$6dd0e8b0$01010101>