Date: Fri, 5 May 2006 14:41:48 -0700 (PDT) From: Bigby Findrake <bigby@ephemeron.org> To: freebsd-security@freebsd.org, nospam@mgedv.net Subject: Re: Jails and loopback interfaces Message-ID: <20060505142334.G26390@home.ephemeron.org> In-Reply-To: <200605041539.k44FdIpP046875@lurza.secnetix.de> References: <200605041539.k44FdIpP046875@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 4 May 2006, Oliver Fromme wrote:
> > 192.168.10.1 = jail ip of the ws
> > 127.0.0.1 = jail ip of the db
>
> Don't use those IPs. In particular it's probably not a
> good idea to use localhost as a jail IP. Use only loopback
> IPs (other than localhost), like the example that I wrote
> above.
I agree with Oliver here - there's a difference between using the loopback
adapter and using the localhost (127.0.0.1) IP. I would strongly
recommend against using localhost as a jail IP unless you have a specific
reason *to* do that - in other words, just assign an alias to the loopback
adapter and use that alias for the jail.
One reason that comes to mind immediately in response to the unasked
question, "why not use the loopback address for a jail?" is that using the
loopback address for a jail makes it hard to seperate (for use by packet
filters, for instance) host machine traffic from jail machine traffic.
There are probably other good reasons for *not* using the loopback address
for a jail as well, but I can't think of any of them.
> And of course you should use appropriate packetfilter rules to enforce
> what kind of access between the jails is allowed. Only allow what you
> need.
I agree again. If you're using the jail for security, lock it down, only
allow traffic that should be going to (and from!) the jail, and disallow
everything else. Servers tend to accept connections, and not initiate
them. If this is the case for your server processes, use stateful
firewall rules to enforce the direction of connections - for instance, you
might want to allow connections to port 80 on your jail, but you probably
wouldn't want people launching attacks *from* port 80 on your jail once
they compromise your webserver. Assume that your jail will get hacked,
and do all you can to prevent that jail from being a useful staging point
for your attackers next wave of attacks.
/-------------------------------------------------------------------------/
That's where the money was.
-- Willie Sutton, on being asked why he robbed a bank
finger://bigby@ephemeron.org
http://www.ephemeron.org/~bigby/
irc://irc.ephemeron.org/#the_pub
news://news.ephemeron.org/alt.lemurs
/-------------------------------------------------------------------------/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060505142334.G26390>