From owner-freebsd-security@FreeBSD.ORG Thu May 4 13:36:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A248516A400 for ; Thu, 4 May 2006 13:36:02 +0000 (UTC) (envelope-from nospam@mgedv.net) Received: from mgedv.at (mail.mgedv.at [195.3.87.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3496A43D45 for ; Thu, 4 May 2006 13:36:01 +0000 (GMT) (envelope-from nospam@mgedv.net) Received: from metis (localhost [127.0.0.1]) by mgedv.at (SMTPServer) with ESMTP id A710E186864; Thu, 4 May 2006 15:35:50 +0200 (MEST) From: "No@SPAM@mgEDV.net" To: Date: Thu, 4 May 2006 15:36:03 +0200 Message-ID: <000001c66f7f$b148b620$01010101@avalon.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcZvf6jiNRp8GRsmRoejAvF62XNQbw== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-security@freebsd.org Subject: RE: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 13:36:02 -0000 > I recently did something like this. I have a webserver in a jail that > needs to talk to a database, and the webserver is the only thing that > should talk to the databse. > My solution was to use 2 jails: one for the webserver, and another for the > database. > Jail 1: > * runs webserver > * binds to real interface with real, routable IP > Jail 2: > * runs database server > * binds to loopback interface, isn't directly reachable > from outside the box just to clarify that for me: you did setup this layout or you tried to setup this? as i read it, i understand that you did! i tried exactly the same but currently jails are bound to the specific ip-address assigned with them so i wonder, how the webserver on a real ip-address can communicate with the database bound to the loopback ip? if you could kindly tell, how you solved this issue (we're using 6.1).