Date: Sun, 23 Mar 2008 07:23:35 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: David Allen <the.real.david.allen@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: A few jail questions Message-ID: <47E60577.6080002@infracaninophile.co.uk> In-Reply-To: <2daa8b4e0803221937m7b1c2016h663ade8749272bde@mail.gmail.com> References: <2daa8b4e0803221937m7b1c2016h663ade8749272bde@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigD75EFEFD8014AF058C3BA74D
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
David Allen wrote:
> I've recently been examining the use of jails in FreeBSD, and I have so=
me
> questions I hope someone can shed some light on with respect to running=
> virtual servers in jails.
>=20
> 1. Upgrading. This probably a "It Depends" question, but if a host sys=
tem
> is upgraded (within version numbers), will the new kernel and world on =
the
> host system cause potential problems with existing jails when they are
> restarted? Or do the jails need to be rebuilt before they are started?=
In general, no. It is quite possible to host a jail running effectively =
a
different version of FreeBSD than the base machine -- a technique that is=
used
extensively in the ports build cluster. The emulation is not perfect, an=
d
of course the kernel that is used is the one from the base system, but it=
's
fine for most purposes.
If it's just a case of slight lag between updating the base system and th=
e
jails, then I wouldn't worry about it.
> 2. Localhost. Jails seem to be implemented using IP address aliasing, =
so
> anything within the jail that wants to, or is configured to, bind to th=
e
> localhost address, now gets bound to the jail's IP address. This means=
> that what was once local, is now publically available. Will running a
> firewall on the host system work in such cases?
Yes, a firewall is a good idea. One very effective method to secure a ja=
il
is to create the jail bound to the *loopback* interface of the main host,=
and
then use firewall redirect rules to send the wanted traffic to the jail's=
=20
IP. eg. using pf:
jail_int =3D "127.0.0.2"
jail_ext =3D "12.34.56.78"
[...]
nat on $ext_if proto { tcp udp } \
from $jail_int \
to !$jail_int -> $jail_ext static-port
rdr on $ext_if proto tcp \
from any \
to $jail_ext port { 22 80 } -> $jail_int
rdr on $ext_if proto udp \
from any \
to $jail_ext port 53 -> $jail_int
So in this case on tcp traffic to ports 22 nd 80 or udp traffic to port 5=
3
is redirected into the jail.
Variations on this technique are about the only way to effectively give a=
jail more than one IP.
> 3. Sendmail. The usual approach of setting "sendmail_enable=3DNO" (or =
using
> DAEMON_OPTIONS) won't prevent sendmail running in a jail from starting =
up
> and listening for incoming mail from external hosts. Short of disablin=
g
> sendmail entirely, I'm wondering what approach most people use as a
> workaround.
Fixed by the bind-jail-to-loopback trick above.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enigD75EFEFD8014AF058C3BA74D
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkfmBX0ACgkQ8Mjk52CukIxZigCgjP/1kzVY/EgMa99KgsqQNQi1
OZwAoI/v+3En1BB4cwKYTReWTfbiE6pd
=aoz5
-----END PGP SIGNATURE-----
--------------enigD75EFEFD8014AF058C3BA74D--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47E60577.6080002>