Date: Wed, 8 Jun 2011 11:30:02 -0400 From: Alejandro Imass <ait@p2ee.org> To: =?ISO-8859-1?Q?Erik_N=F8rgaard?= <norgaard@locolomo.org> Cc: "questions@FreeBSD.org Questions" <questions@freebsd.org> Subject: Re: How to restrict jail's network access? Message-ID: <BANLkTikHNkMiFWESqftS9Jqh3J358cZOfA@mail.gmail.com> In-Reply-To: <4DEF8C23.5010707@locolomo.org> References: <4DEF8C23.5010707@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 8, 2011 at 10:50 AM, Erik N=F8rgaard <norgaard@locolomo.org> wr= ote: > Hi: > > I'm planning to move services to run in jails. Two jails: > > 1: Mail related: postfix, cyrus imap and openldap > 2: Web related: apache and postgresql > > No service should be able to connect out of the jail to remote hosts, exc= ept > for postfix that need to connect out to port 25 for delivery to other > domains. > Jails usually run in a private network by default, each has a private IP which is alias of the lo device In fact you usually have explictly NAT ports from the base system to the Ja= ils. Try EzJail (yep. easy piecy as it's name suggests) and check-out these references: http://erdgeist.org/arts/software/ezjail/ http://www.freebsddiary.org/ezjail.php http://www.scottro.net/qnd/qnd-ezjail.html http://www.bsdguides.org/guides/freebsd/security/manage_jails Best, -- Alejandro Imass P.S. you can always hire you initial set-up/training, I'm sure many here would be more than happy to do so ;-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTikHNkMiFWESqftS9Jqh3J358cZOfA>