From owner-freebsd-security@FreeBSD.ORG Thu May 4 14:15:43 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77FDE16A403 for ; Thu, 4 May 2006 14:15:43 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id A43A443D46 for ; Thu, 4 May 2006 14:15:42 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (atmzeb@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k44EFYDe043029; Thu, 4 May 2006 16:15:39 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k44EFYKF043028; Thu, 4 May 2006 16:15:34 +0200 (CEST) (envelope-from olli) Date: Thu, 4 May 2006 16:15:34 +0200 (CEST) Message-Id: <200605041415.k44EFYKF043028@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net In-Reply-To: <000001c66f7f$b148b620$01010101@avalon.lan> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 04 May 2006 16:15:39 +0200 (CEST) Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 14:15:43 -0000 No@SPAM@mgEDV.net wrote: > > > I recently did something like this. I have a webserver in a jail that > > needs to talk to a database, and the webserver is the only thing that > > should talk to the databse. > > > My solution was to use 2 jails: one for the webserver, and another for the > > > database. > > > Jail 1: > > * runs webserver > > * binds to real interface with real, routable IP > > > Jail 2: > > * runs database server > > * binds to loopback interface, isn't directly reachable > > from outside the box > > just to clarify that for me: you did setup this layout or you > tried to setup this? as i read it, i understand that you did! > > i tried exactly the same but currently jails are bound to the specific > ip-address assigned with them so i wonder, how the webserver on a real > ip-address can communicate with the database bound to the loopback ip? > if you could kindly tell, how you solved this issue (we're using 6.1). In fact, it is a good idea to _always_ bind jails to non- routable loopback IPs. For example: jail 1 (webserver) on 127.0.0.2 jail 2 (database) on 127.0.0.3 If a service needs to be accessible from the outside, you can use IPFW FWD rules to forward packets destined to the real IP to the jail's loopback IP. Of course there's no problem accessing the database from the webserver. Note that you have complete control over who can access what, by using your favourite packet filter (IPFW, IPF, PF). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "One of the main causes of the fall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs." -- Robert Firth