Date: Thu, 4 May 2006 17:39:18 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net Subject: Re: Jails and loopback interfaces Message-ID: <200605041539.k44FdIpP046875@lurza.secnetix.de> In-Reply-To: <001401c66f8c$6dd0e8b0$01010101@avalon.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
No@SPAM@mgEDV.net <nospam@mgedv.net> wrote: > > > In fact, it is a good idea to _always_ bind jails to non- > > routable loopback IPs. For example: > > > > jail 1 (webserver) on 127.0.0.2 > > jail 2 (database) on 127.0.0.3 > > > > If a service needs to be accessible from the outside, you > > can use IPFW FWD rules to forward packets destined to the > > real IP to the jail's loopback IP. > > ok, technically i get this, but wouldn't it confuse the daemons No, it doesn't confuse the daemons. Why should it? > and slow down the network connections if i use packet forwarding > for each packet let's say a daemon reads from syslog-services > and writes to databases? No, the overhead is negligible. The only thing that IPFW FWD does is to adjust the forwarding path of the packet. > > Of course there's no problem accessing the database from > > the webserver. Note that you have complete control over > > who can access what, by using your favourite packet filter > > (IPFW, IPF, PF). > > this part i definitely don't get. let's assume this one: > > 192.168.10.1 = jail ip of the ws > 127.0.0.1 = jail ip of the db Don't use those IPs. In particular it's probably not a good idea to use localhost as a jail IP. Use only loopback IPs (other than localhost), like the example that I wrote above. And of course you should use appropriate packetfilter rules to enforce what kind of access between the jails is allowed. Only allow what you need. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "... there are two ways of constructing a software design: One way is to make it so simple that there are _obviously_ no deficiencies and the other way is to make it so complicated that there are no _obvious_ deficiencies." -- C.A.R. Hoare, ACM Turing Award Lecture, 1980
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605041539.k44FdIpP046875>