Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Dec 2015 18:45:16 -0800
From:      Aleksandr Miroslav <alexmiroslav@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: best practice for locking down private jail?
Message-ID:  <CACcSE1zhMLnbo+bOixOM_ZLBpP+szbmzfFH_12v36ezy34fs9g@mail.gmail.com>
In-Reply-To: <20151203073923.17dae0c41a2b5e29a5b3a3dd@sohara.org>
References:  <CACcSE1yQO8AjW9rpY+d2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com> <20151203073923.17dae0c41a2b5e29a5b3a3dd@sohara.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Dec 2, 2015 at 11:39 PM, Steve O'Hara-Smith <steve@sohara.org> wrote:
> I would set up two jails - one as the upload jail the other the web
> server and use a cron job on the host to move verified mp3 files

Excellent advice, I will do just that.

> don't use Apache, use a minimalist web server that can only serve
> static files (thttpd can be set up this way - there are others).

thttpd doesn't look like it's been updated in a while, but a bit of
Googling shows that lighttpd, nginx, and hiawatha are all small secure
web servers. Any recommendations from these?

> Finally I'd use pf to lock down the traffic so that nothing gets to
> the jails that shouldn't.

I only have redirects for both the web server jail and the file uploader jail
that look like this:

    rdr pass on $EXT_NIC inet proto tcp from any to $PUBLIC_IP port =
$JAIL_UPLOADER_SSH_EXTERNAL_PORT -> $JAIL_UPLOADER_IP port
$JAIL_UPLOADER_SSH_PORT
    rdr pass on $EXT_NIC inet proto tcp from any to $PUBLIC_IP port =
$JAIL_WEB_HTTP_EXTERNAL_PORT     -> $JAIL_WEB_IP      port
$JAIL_WEB_HTTP_PORT

And both jails are on private IPs that don't talk to each other or the
outside host/world. Is this sufficient or should I add blocks for these
private jails as well?



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CACcSE1zhMLnbo+bOixOM_ZLBpP+szbmzfFH_12v36ezy34fs9g>