From owner-freebsd-security@FreeBSD.ORG Thu Mar 9 13:13:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F13416A420 for ; Thu, 9 Mar 2006 13:13:57 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C7C543D55 for ; Thu, 9 Mar 2006 13:13:56 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from localhost.i.cz (ss.eunet.cz [193.85.228.13]) by ss.eunet.cz (8.13.3/8.13.1) with ESMTP id k29DDs8e022972 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Thu, 9 Mar 2006 14:13:54 +0100 (CET) (envelope-from mime@traveller.cz) From: Michal Mertl To: Cyril Jaouich In-Reply-To: <20060308211734.73971.qmail@web30602.mail.mud.yahoo.com> References: <20060308211734.73971.qmail@web30602.mail.mud.yahoo.com> Content-Type: text/plain; charset=iso-8859-15 Date: Thu, 09 Mar 2006 14:13:51 +0100 Message-Id: <1141910031.759.4.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: SUMMARY: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Mar 2006 13:13:57 -0000 One solution which I think hasn't been mentioned here is to have jails on RFC1918 IP addresses or loopback (127/8) and have a packet filter redirect/forward just the visible services to the internal IP addresses. I haven't tried it myself but according to others it works. Michal Cyril Jaouich pí¨e v st 08. 03. 2006 v 16:17 -0500: > Well well, > > I have received a lot of answers and solutions. > > Setup: > Server A hosts a jail B > Jail B is Webserver and Database server > Want I want to do: > Limit acces to the database by binding the database on the loopback address > (127.0.0.1). > > Since you can only use 1 ip in a jail and I am running a Web server it has to > be a routed address (non RFC1918). Also, when a process inside a jail connects > to the loopback (127.0.0.1), you hit the jail's ip and not the loopback ip of > the master server (where the jail sits). > > In order to secure my database, it's best to use PF to limit exterior acces. > You can also setup another jail that will use an RFC1919 address. > > Thanks to: > Bigby Findrake > Axel Scheepers > Josh Bell > Ricardo A. Reis > Jon > > -Cyril > > > > > > > __________________________________________________________ > Lèche-vitrine ou lèche-écran ? > magasinage.yahoo.ca >