From owner-freebsd-questions@FreeBSD.ORG Sun Aug 10 12:02:49 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4EC1E5D3 for ; Sun, 10 Aug 2014 12:02:49 +0000 (UTC) Received: from relay.mailchannels.net (ar-005-i202.relay.mailchannels.net [162.253.144.84]) by mx1.freebsd.org (Postfix) with ESMTP id 8AE272B03 for ; Sun, 10 Aug 2014 12:02:47 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.32.44 Received: from mail-24.name-services.com (ip-10-220-9-73.us-west-2.compute.internal [10.220.9.73]) by relay.mailchannels.net (Postfix) with ESMTPA id 45CCE100118; Sun, 10 Aug 2014 12:02:40 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.32.44 Received: from mail-24.name-services.com ([TEMPUNAVAIL]. [10.227.41.147]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:2500 (trex/5.2.12); Sun, 10 Aug 2014 12:02:40 GMT X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from|107.201.32.44 X-MailChannels-Auth-Id: demandmedia X-MC-Ingress-Time: 1407672160667 Received: from [10.0.10.1] (107-201-32-44.lightspeed.bcvloh.sbcglobal.net [107.201.32.44]) by mail-24.name-services.com with SMTP; Sun, 10 Aug 2014 05:02:30 -0700 Message-ID: <53E75F57.5040907@a1poweruser.com> Date: Sun, 10 Aug 2014 08:02:31 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Norman Khine Subject: Re: correctly configuring PF with jailed environments References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Aug 2014 12:02:49 -0000 Norman Khine wrote: > hello, i have a web application running 3 jail environments one for Nginx > Web server, one for MongoDB/Redis and one for my Node.js application > > this is my current pf.conf file > > https://gist.github.com/nkhine/d03ea23a749c47bcc4d0 > > this works, as there is no access to my node app nor any of the dbs from > public interfaces. > > the rules come out as > > # pfctl -s rules > scrub out log on igb0 all random-id min-ttl 15 set-tos 0x1c fragment > reassemble > scrub in log on igb0 all min-ttl 15 fragment reassemble > scrub in all fragment reassemble > > i find that on my webserver i get timeouts and the html application does not > load up quickly! > > also, are there any improvements i can make to this as to ensure a more > secure environment? > > any advice much appreciated > I do not see this as a jail or pf problem. Look at commenting out any mod_* from the httpd.conf file that the html application does not use. Check that the 3 apache jails are not using the same service port (80). Do not use the apache default directory location for holding your html application files. Disable the pf firewall in rc.conf and test if this speeds up apache.