Date: Thu, 09 Mar 2006 14:13:51 +0100 From: Michal Mertl <mime@traveller.cz> To: Cyril Jaouich <cjaouich@yahoo.ca> Cc: freebsd-security@freebsd.org Subject: Re: SUMMARY: Jails and loopback interfaces Message-ID: <1141910031.759.4.camel@genius.i.cz> In-Reply-To: <20060308211734.73971.qmail@web30602.mail.mud.yahoo.com> References: <20060308211734.73971.qmail@web30602.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
One solution which I think hasn't been mentioned here is to have jails on RFC1918 IP addresses or loopback (127/8) and have a packet filter redirect/forward just the visible services to the internal IP addresses. I haven't tried it myself but according to others it works. Michal Cyril Jaouich pí¨e v st 08. 03. 2006 v 16:17 -0500: > Well well, > > I have received a lot of answers and solutions. > > Setup: > Server A hosts a jail B > Jail B is Webserver and Database server > Want I want to do: > Limit acces to the database by binding the database on the loopback address > (127.0.0.1). > > Since you can only use 1 ip in a jail and I am running a Web server it has to > be a routed address (non RFC1918). Also, when a process inside a jail connects > to the loopback (127.0.0.1), you hit the jail's ip and not the loopback ip of > the master server (where the jail sits). > > In order to secure my database, it's best to use PF to limit exterior acces. > You can also setup another jail that will use an RFC1919 address. > > Thanks to: > Bigby Findrake > Axel Scheepers > Josh Bell > Ricardo A. Reis > Jon > > -Cyril > > > > > > > __________________________________________________________ > Lèche-vitrine ou lèche-écran ? > magasinage.yahoo.ca >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1141910031.759.4.camel>