Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Dec 2015 18:45:16 -0800
From:      Aleksandr Miroslav <>
Subject:   Re: best practice for locking down private jail?
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Dec 2, 2015 at 11:39 PM, Steve O'Hara-Smith <> wrote:
> I would set up two jails - one as the upload jail the other the web
> server and use a cron job on the host to move verified mp3 files

Excellent advice, I will do just that.

> don't use Apache, use a minimalist web server that can only serve
> static files (thttpd can be set up this way - there are others).

thttpd doesn't look like it's been updated in a while, but a bit of
Googling shows that lighttpd, nginx, and hiawatha are all small secure
web servers. Any recommendations from these?

> Finally I'd use pf to lock down the traffic so that nothing gets to
> the jails that shouldn't.

I only have redirects for both the web server jail and the file uploader jail
that look like this:

    rdr pass on $EXT_NIC inet proto tcp from any to $PUBLIC_IP port =
    rdr pass on $EXT_NIC inet proto tcp from any to $PUBLIC_IP port =

And both jails are on private IPs that don't talk to each other or the
outside host/world. Is this sufficient or should I add blocks for these
private jails as well?

Want to link to this message? Use this URL: <>