From owner-freebsd-security@FreeBSD.ORG  Sun Jul 13 09:49:14 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B87D737B401
	for <freebsd-security@freebsd.org>;
	Sun, 13 Jul 2003 09:49:14 -0700 (PDT)
Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net
	[207.217.120.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5125143F3F
	for <freebsd-security@freebsd.org>;
	Sun, 13 Jul 2003 09:49:14 -0700 (PDT)
	(envelope-from vjones62@earthlink.net)
Received: from skeeter.psp.pas.earthlink.net ([207.217.78.186])
	by harrier.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
	id 19bk2E-0002a4-00
	for freebsd-security@freebsd.org; Sun, 13 Jul 2003 09:49:14 -0700
Received: from [207.217.78.203] by EarthlinkWAM via HTTP;
	Sun Jul 13 09:49:13 PDT 2003
Message-ID: <4346655.1058114953973.JavaMail.nobody@skeeter.psp.pas.earthlink.net>
Date: Sun, 13 Jul 2003 12:46:39 -0700 (PDT)
From: "V. Jones" <vjones62@earthlink.net>
To: freebsd-security@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Earthlink Web Access Mail version 3.0
Subject: Re: jails, ipfilter & stunnel
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jul 2003 16:49:15 -0000

> You don't have to have multiple IP aliases for multiple jails.  Or at
> least there is no technical necessity for this (in FreeBSD 4.x, that is,
> don't kown about 5.x).  If it's just about running server processes in
> their own jail (no port number conflicts) you can have all jails on the
> same IP address and do the IP filtering (if necessary at all in this
> scenario) based on port numbers.
>

Okay, I didn't realize I could run more than one jail on one ip address.  I guess if I needed ssh on each jailed server I could just make sure the port number is unique.


> > Finally, I'd like to use SSL to offer secure web connections & secure
> email
> > without having to buy two certificates.  Am I getting too cute if I
> accept
> > ssl connections on  one ip address and use stunnel to route them to
the
> > appropriate jailed server?
>
> In case of all jails on one IP address this problem goes away, too.  You
> could define a generic domain name for the SSL stuff, for instance
> 'secure.domain.tld', get a certificate for that and use it for web as
> well as email and other purposes.
>
>     Uwe
>
This counfuses me - doesn't the host name have to match the certificate?  Can two jails have the same host name too?

-- 
Valen Jones

>