From owner-freebsd-security@FreeBSD.ORG Tue Mar 7 15:07:05 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9985516A420 for ; Tue, 7 Mar 2006 15:07:05 +0000 (GMT) (envelope-from cjaouich@yahoo.ca) Received: from web30609.mail.mud.yahoo.com (web30609.mail.mud.yahoo.com [68.142.200.132]) by mx1.FreeBSD.org (Postfix) with SMTP id 9FAAA43D97 for ; Tue, 7 Mar 2006 15:07:03 +0000 (GMT) (envelope-from cjaouich@yahoo.ca) Received: (qmail 75576 invoked by uid 60001); 7 Mar 2006 15:07:03 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.ca; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ARiZVzFqCjgABWjXSkQpW7cGEa8Ohw4U9U5H/BwN3wSi8Vf9gW5L6WRWJHjieaesvV0AfuWRXiFKZpKGwkHP72PUXHffc52eAJsmhvMkozRkCYAJPrdrJIh3Xovmvsiog8zGop4UjrQZdADXw07E67lBX3C9BXgqdaLfotkqNbY= ; Message-ID: <20060307150703.75574.qmail@web30609.mail.mud.yahoo.com> Received: from [199.22.61.2] by web30609.mail.mud.yahoo.com via HTTP; Tue, 07 Mar 2006 10:07:03 EST Date: Tue, 7 Mar 2006 10:07:03 -0500 (EST) From: Cyril Jaouich To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2006 15:07:05 -0000 Hi, Running: Freebsd 6.0 I am wondering if it is possible to have acces to loopback ip in a jail. I currently have a server running a jail. In the jail, there is a database and a web server. I would like to be able to have the database only bind on a loopback address and not on the jail's ip. Can this be done and how? Thanks -Cyril __________________________________________________________ Lèche-vitrine ou lèche-écran ? magasinage.yahoo.ca From owner-freebsd-security@FreeBSD.ORG Tue Mar 7 16:03:56 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3392E16A420 for ; Tue, 7 Mar 2006 16:03:56 +0000 (GMT) (envelope-from ricardo_bsd@yahoo.com.br) Received: from maritaca.epm.br (disrouter.epm.br [200.17.25.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6280A43D6E for ; Tue, 7 Mar 2006 16:03:55 +0000 (GMT) (envelope-from ricardo_bsd@yahoo.com.br) Received: from localhost (localhost.localdomain [127.0.0.1]) by maritaca.epm.br (Postfix) with ESMTP id F145D3A92; Tue, 7 Mar 2006 13:03:52 -0300 (BRST) Received: from [172.22.1.166] (ricardo.epm.br [172.22.1.166]) by maritaca.epm.br (Postfix) with ESMTP id 576B83A7B; Tue, 7 Mar 2006 13:03:46 -0300 (BRST) Message-ID: <440DAEB2.3030102@yahoo.com.br> Date: Tue, 07 Mar 2006 13:02:58 -0300 From: "Ricardo A. Reis" User-Agent: Thunderbird 1.5 (X11/20060209) MIME-Version: 1.0 To: Cyril Jaouich References: <20060307150703.75574.qmail@web30609.mail.mud.yahoo.com> In-Reply-To: <20060307150703.75574.qmail@web30609.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit UNIFESP-Virus-Scanned: by amavisd-new at dis.epm.br Cc: freebsd-security@freebsd.org Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2006 16:03:56 -0000 Hi Cyril, For access loopback inside the jail, is necessary configure in host server alias for loopback and start jail using loopback. Remember loopback address is all 127/8 ! Ex. rc.conf ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff" jail_packages_rootdir="/jail/packages" jail_packages_hostname="packages.xxx.xxx" jail_packages_ip="127.0.0.2" jail_packages_exec_start="/bin/sh /etc/rc" jail_packages_exec_stop="/bin/sh /etc/rc.shutdown" jail_packages_devfs_enable="YES" jail_packages_fdescfs_enable="NO" jail_packages_procfs_enable="NO" jail_packages_mount_enable="YES" jail_packages_devfs_ruleset="devfsrules_jail" jail_packages_fstab="/etc/fstab.packages" Ricardo A. Reis UNIFESP Unix and Network Admin > Hi, > > Running: Freebsd 6.0 > > I am wondering if it is possible to have acces to loopback ip in a jail. I > currently have a server running a jail. In the jail, there is a database and a > web server. I would like to be able to have the database only bind on a > loopback address and not on the jail's ip. > > Can this be done and how? > > Thanks > > -Cyril > > > > > > > __________________________________________________________ > Lèche-vitrine ou lèche-écran ? > magasinage.yahoo.ca > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Tue Mar 7 18:00:35 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A590A16A422 for ; Tue, 7 Mar 2006 18:00:35 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27E4C43D45 for ; Tue, 7 Mar 2006 18:00:22 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.8/8.12.11) with ESMTP id k27I0LKU053547; Tue, 7 Mar 2006 10:00:21 -0800 (PST) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.13.4/8.13.4) with ESMTP id k27I0nQs057138; Tue, 7 Mar 2006 10:00:49 -0800 (PST) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.13.4/8.13.4/Submit) with ESMTP id k27I0mbE057135; Tue, 7 Mar 2006 10:00:49 -0800 (PST) (envelope-from bigby@ephemeron.org) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Tue, 7 Mar 2006 10:00:48 -0800 (PST) From: Bigby Findrake To: Cyril Jaouich , freebsd-security@freebsd.org In-Reply-To: <20060307150703.75574.qmail@web30609.mail.mud.yahoo.com> Message-ID: <20060307094404.B49310@home.ephemeron.org> References: <20060307150703.75574.qmail@web30609.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1857111318-1141754123=:49310" Content-ID: <20060307095554.M49310@home.ephemeron.org> Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2006 18:00:35 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1857111318-1141754123=:49310 Content-Type: TEXT/PLAIN; CHARSET=X-UNKNOWN; format=flowed Content-Transfer-Encoding: 8BIT Content-ID: <20060307095554.E49310@home.ephemeron.org> I recently did something like this. I have a webserver in a jail that needs to talk to a database, and the webserver is the only thing that should talk to the databse. My solution was to use 2 jails: one for the webserver, and another for the database. A jail can only bind to one IP. Presumably you want the webserver to be able to talk out of the box, so having the webserver jail bind to a loop-back address isn't really the way to go (without getting unnecessariy complex with all sorts of NATing and forwarding firewall rules). Jail 1: * runs webserver * binds to real interface with real, routable IP Jail 2: * runs database server * binds to loopback interface, isn't directly reachable from outside the box As a further piece of advice, if you're using jails at all, you're probably concerned with security. In case you are, you should always consider firewalling the jail to make sure that it can't reach things that you don't want it to. I usually implement a few stateful firewall rules to make it so that the jail cannot initiate connections outward, because if the jail is compromised, you (probably) want to make it so that it cannot be used as a platform to launch further attacks. For example: ipfw add check-state ipfw add allow tcp from any to $JAIL keep-state setup ipfw add deny ip from any to $JAIL ipfw add deny ip from $JAIL to any Or, if you know that the only service you want to be available on the jail is the web server, why allow any other access at all? ipfw add check-state ipfw add allow tcp from any to $JAIL 80 keep-state setup ipfw add deny ip from any to $JAIL ipfw add deny ip from $JAIL to any You would, of course, have to modify these rules to accomodate your database. On Tue, 7 Mar 2006, Cyril Jaouich wrote: > Hi, > > Running: Freebsd 6.0 > > I am wondering if it is possible to have acces to loopback ip in a jail. I > currently have a server running a jail. In the jail, there is a database and a > web server. I would like to be able to have the database only bind on a > loopback address and not on the jail's ip. > > Can this be done and how? > > Thanks > > -Cyril > > > > > > > __________________________________________________________ > Lèche-vitrine ou lèche-écran ? > magasinage.yahoo.ca > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > /-------------------------------------------------------------------------/ "I'm busy. What, you think these web-sites are gonna surf themselves???" finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub /-------------------------------------------------------------------------/ --0-1857111318-1141754123=:49310-- From owner-freebsd-security@FreeBSD.ORG Tue Mar 7 19:09:15 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6229316A420 for ; Tue, 7 Mar 2006 19:09:15 +0000 (GMT) (envelope-from josh@oplink.net) Received: from filter.oplink.net (filter.oplink.net [66.100.35.2]) by mx1.FreeBSD.org (Postfix) with SMTP id C84C743D53 for ; Tue, 7 Mar 2006 19:08:09 +0000 (GMT) (envelope-from josh@oplink.net) Received: (qmail 26754 invoked from network); 7 Mar 2006 19:07:53 -0000 Received: by simscan 1.2.0 ppid: 26751, pid: 26752, t: 0.1607s scanners: spam: 3.1.0 X-Spam-Checker-Version: filter.oplink.net Anti-spam/Virii scanner X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=failed Received: from devious.oplink.net (HELO ?10.10.10.2?) (209.176.49.142) by filter.oplink.net with SMTP; 7 Mar 2006 19:07:53 -0000 Message-ID: <440DDA16.2050109@oplink.net> Date: Tue, 07 Mar 2006 13:08:06 -0600 From: Josh Bell User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Cyril Jaouich References: <20060307150703.75574.qmail@web30609.mail.mud.yahoo.com> In-Reply-To: <20060307150703.75574.qmail@web30609.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2006 19:09:15 -0000 For what its worth. It seems like it would be a better idea to use the file socket instead of connecting to an IP. You could then mount the socket within the jail, if I am not mistaken. ---- Joshua Bell - Cyril Jaouich wrote: > Hi, > > Running: Freebsd 6.0 > > I am wondering if it is possible to have acces to loopback ip in a jail. I > currently have a server running a jail. In the jail, there is a database and a > web server. I would like to be able to have the database only bind on a > loopback address and not on the jail's ip. > > Can this be done and how? > > Thanks > > -Cyril > > > > > > > __________________________________________________________ > Lèche-vitrine ou lèche-écran ? > magasinage.yahoo.ca > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Wed Mar 8 20:07:10 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A193316A420 for ; Wed, 8 Mar 2006 20:07:10 +0000 (GMT) (envelope-from ascheepers@vianetworks.nl) Received: from smtp-vbr15.xs4all.nl (smtp-vbr15.xs4all.nl [194.109.24.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id A025243D6E for ; Wed, 8 Mar 2006 20:07:08 +0000 (GMT) (envelope-from ascheepers@vianetworks.nl) Received: from darkstar.thuis.net (void-ptr.xs4all.nl [80.126.86.58]) by smtp-vbr15.xs4all.nl (8.13.3/8.13.3) with ESMTP id k28K76oA088391; Wed, 8 Mar 2006 21:07:06 +0100 (CET) (envelope-from ascheepers@vianetworks.nl) From: Axel Scheepers To: "Ricardo A. Reis" In-Reply-To: <440DAEB2.3030102@yahoo.com.br> References: <20060307150703.75574.qmail@web30609.mail.mud.yahoo.com> <440DAEB2.3030102@yahoo.com.br> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-vNneizLBHqsSc02K31pV" Date: Wed, 08 Mar 2006 21:07:06 +0100 Message-Id: <1141848426.3290.79.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 X-Virus-Scanned: by XS4ALL Virus Scanner X-Mailman-Approved-At: Wed, 08 Mar 2006 20:22:29 +0000 Cc: freebsd-security@freebsd.org, Cyril Jaouich Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ascheepers@vianetworks.nl List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Mar 2006 20:07:10 -0000 --=-vNneizLBHqsSc02K31pV Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2006-03-07 at 13:02 -0300, Ricardo A. Reis wrote: > Hi Cyril, >=20 > For access loopback inside the jail, is necessary configure in host serve= r > alias for loopback and start jail using loopback. > Remember loopback address is all 127/8 ! >=20 I just recently tried jails but I thought 127.0.0.1 would be mapped to the jails ip-address, which eventually gets mapped to the ip specified in the parameter or rc.conf. I could be wrong though although my test-jail setup confirms this on 6.1-PRERELEASE: test-jail# telnet localhost 22 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_4.2p1 FreeBSD-20050903 Kind regards, Axel Scheepers --=-vNneizLBHqsSc02K31pV Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQBEDzlqvOFCXiGjP+ARAlzeAKC5HRWZRBURUP6EW1F8J3b6YkEw+wCfSCH4 QAjR1BIjPrgecM1rXgBp75U= =VXx/ -----END PGP SIGNATURE----- --=-vNneizLBHqsSc02K31pV-- From owner-freebsd-security@FreeBSD.ORG Wed Mar 8 21:07:27 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8696616A420 for ; Wed, 8 Mar 2006 21:07:27 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A53443D66 for ; Wed, 8 Mar 2006 21:07:20 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.8/8.12.11) with ESMTP id k28L7Do8080535; Wed, 8 Mar 2006 13:07:13 -0800 (PST) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.13.4/8.13.4) with ESMTP id k28L7xl7012265; Wed, 8 Mar 2006 13:07:59 -0800 (PST) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.13.4/8.13.4/Submit) with ESMTP id k28L7wEM012262; Wed, 8 Mar 2006 13:07:58 -0800 (PST) (envelope-from bigby@ephemeron.org) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Wed, 8 Mar 2006 13:07:58 -0800 (PST) From: Bigby Findrake To: Axel Scheepers In-Reply-To: <1141848426.3290.79.camel@localhost.localdomain> Message-ID: <20060308130742.A11454@home.ephemeron.org> References: <20060307150703.75574.qmail@web30609.mail.mud.yahoo.com> <440DAEB2.3030102@yahoo.com.br> <1141848426.3290.79.camel@localhost.localdomain> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, Cyril Jaouich , "Ricardo A. Reis" Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Mar 2006 21:07:27 -0000 I would recommend *not* trying to use 127.0.0.1. You'll end up in a situation where things are trying to access the local machine and are getting the jail instead. Instead, I recommend schlopping another IP address, an alias, onto the loopback interface, just as you would with any other jail. Use an RFC 1918 address, and, as with all jails, use a netmask of 32 bits. On Wed, 8 Mar 2006, Axel Scheepers wrote: > On Tue, 2006-03-07 at 13:02 -0300, Ricardo A. Reis wrote: >> Hi Cyril, >> >> For access loopback inside the jail, is necessary configure in host server >> alias for loopback and start jail using loopback. >> Remember loopback address is all 127/8 ! >> > > I just recently tried jails but I thought 127.0.0.1 would be mapped to > the jails ip-address, which eventually gets mapped to the ip specified > in the parameter or rc.conf. I could be wrong though although my > test-jail setup confirms this on 6.1-PRERELEASE: > test-jail# telnet localhost 22 > Trying ::1... > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > SSH-2.0-OpenSSH_4.2p1 FreeBSD-20050903 > > Kind regards, > > Axel Scheepers > /-------------------------------------------------------------------------/ Never worry about theory as long as the machinery does what it's supposed to do. -- R. A. Heinlein finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub /-------------------------------------------------------------------------/ From owner-freebsd-security@FreeBSD.ORG Wed Mar 8 21:17:39 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41E9216A420 for ; Wed, 8 Mar 2006 21:17:39 +0000 (GMT) (envelope-from cjaouich@yahoo.ca) Received: from web30602.mail.mud.yahoo.com (web30602.mail.mud.yahoo.com [68.142.200.125]) by mx1.FreeBSD.org (Postfix) with SMTP id 1425643D7D for ; Wed, 8 Mar 2006 21:17:34 +0000 (GMT) (envelope-from cjaouich@yahoo.ca) Received: (qmail 73973 invoked by uid 60001); 8 Mar 2006 21:17:34 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.ca; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=QCwh5PyFM75Zt71/bmI6i9+5PkYQoWbCB8PGsnbqWc54Dn2/iC9kZTcyp9fEVEnpdMotbITmSGR73n4h5boi2K4uT0mOOVUiHn973qhQ45RzkfvlEl0NOpF3XbqFvenzaOMYt97psXz1wZMuFugPQduj2mppmWn2w6q3rNYEYe0= ; Message-ID: <20060308211734.73971.qmail@web30602.mail.mud.yahoo.com> Received: from [199.22.61.2] by web30602.mail.mud.yahoo.com via HTTP; Wed, 08 Mar 2006 16:17:34 EST Date: Wed, 8 Mar 2006 16:17:34 -0500 (EST) From: Cyril Jaouich To: freebsd-security@freebsd.org In-Reply-To: <20060308130742.A11454@home.ephemeron.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: SUMMARY: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Mar 2006 21:17:39 -0000 Well well, I have received a lot of answers and solutions. Setup: Server A hosts a jail B Jail B is Webserver and Database server Want I want to do: Limit acces to the database by binding the database on the loopback address (127.0.0.1). Since you can only use 1 ip in a jail and I am running a Web server it has to be a routed address (non RFC1918). Also, when a process inside a jail connects to the loopback (127.0.0.1), you hit the jail's ip and not the loopback ip of the master server (where the jail sits). In order to secure my database, it's best to use PF to limit exterior acces. You can also setup another jail that will use an RFC1919 address. Thanks to: Bigby Findrake Axel Scheepers Josh Bell Ricardo A. Reis Jon -Cyril __________________________________________________________ Lèche-vitrine ou lèche-écran ? magasinage.yahoo.ca From owner-freebsd-security@FreeBSD.ORG Thu Mar 9 13:13:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F13416A420 for ; Thu, 9 Mar 2006 13:13:57 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C7C543D55 for ; Thu, 9 Mar 2006 13:13:56 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from localhost.i.cz (ss.eunet.cz [193.85.228.13]) by ss.eunet.cz (8.13.3/8.13.1) with ESMTP id k29DDs8e022972 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Thu, 9 Mar 2006 14:13:54 +0100 (CET) (envelope-from mime@traveller.cz) From: Michal Mertl To: Cyril Jaouich In-Reply-To: <20060308211734.73971.qmail@web30602.mail.mud.yahoo.com> References: <20060308211734.73971.qmail@web30602.mail.mud.yahoo.com> Content-Type: text/plain; charset=iso-8859-15 Date: Thu, 09 Mar 2006 14:13:51 +0100 Message-Id: <1141910031.759.4.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: SUMMARY: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Mar 2006 13:13:57 -0000 One solution which I think hasn't been mentioned here is to have jails on RFC1918 IP addresses or loopback (127/8) and have a packet filter redirect/forward just the visible services to the internal IP addresses. I haven't tried it myself but according to others it works. Michal Cyril Jaouich pí¨e v st 08. 03. 2006 v 16:17 -0500: > Well well, > > I have received a lot of answers and solutions. > > Setup: > Server A hosts a jail B > Jail B is Webserver and Database server > Want I want to do: > Limit acces to the database by binding the database on the loopback address > (127.0.0.1). > > Since you can only use 1 ip in a jail and I am running a Web server it has to > be a routed address (non RFC1918). Also, when a process inside a jail connects > to the loopback (127.0.0.1), you hit the jail's ip and not the loopback ip of > the master server (where the jail sits). > > In order to secure my database, it's best to use PF to limit exterior acces. > You can also setup another jail that will use an RFC1919 address. > > Thanks to: > Bigby Findrake > Axel Scheepers > Josh Bell > Ricardo A. Reis > Jon > > -Cyril > > > > > > > __________________________________________________________ > Lèche-vitrine ou lèche-écran ? > magasinage.yahoo.ca >