Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 04 Apr 2012 10:16:37 +0200
From:      Andrea Venturoli <>
Subject:   Best practices about Jails
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

Plase forgive the long post and the amount of questions, but I'm new to 
jails and I'd like to be sure of what I'm doing before deploying more 
than a test one.
Right now I need to run a commercial Java app, which, ideally, I would 
forbid to access files outside its directory.
This might be done by simple chrooting it, but I read a jail is a better 
solution, so I started with ezjails.

First of all, I'm wondering whether it would be possible/useful to use 
chroot even inside that jail. Any opinions?

Second question: from inside the jail I can access all services on 
localhost (eg. telnet localhost pop3, where a pop3 server is running on 
the host). Can this be avoided, e.g. with ipfw?
Ideally, since this jail will run only one deamon and it will be 
accessed through Apache mod_proxy from the host, I'll just need inbound 
access to its port and outbound access to smtp and web proxy on the host 
system. No direct access from/to other hosts.
Is this possible?

Next... ezjail's author suggests I have a copy of the port tree just for 
the jails and, furthermore, a repository for distfiles for every jail.
Since this would waste a lot of space, I already used a single distfile 
repository, but I'm also wondering whether it would be a bad idea to use 
the host's port tree. I know lot of people do this and, keeping it tidy 
with portsclean -CD, I wonder if it really would be a security risk in 
my case.

Finally (for now :): I usually install portaudit and receive every day a 
report about vulnerabilities in the host system's installed ports. What 
about jails? Should I install portaudit there too and let them flood me 
with reports? Is there a way to let the host's portaudit check jails too?

I'm sure I'll have other questions in some days...
Thanks in advance for now to anyone who will answer.


Want to link to this message? Use this URL: <>