From owner-freebsd-security@FreeBSD.ORG Sun May 7 20:15:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2625016A430 for ; Sun, 7 May 2006 20:15:14 +0000 (UTC) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E0B943D45 for ; Sun, 7 May 2006 20:15:13 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.11/8.12.11) with ESMTP id k47KFBUl032735; Sun, 7 May 2006 13:15:11 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.13.4/8.13.4) with ESMTP id k47KFhxr027241; Sun, 7 May 2006 13:15:43 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.13.4/8.13.4/Submit) with ESMTP id k47KFgjm027238; Sun, 7 May 2006 13:15:43 -0700 (PDT) (envelope-from bigby@ephemeron.org) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Sun, 7 May 2006 13:15:42 -0700 (PDT) From: Bigby Findrake To: "No@SPAM@mgEDV.net" In-Reply-To: <000001c66f7f$b148b620$01010101@avalon.lan> Message-ID: <20060507131243.U26146@home.ephemeron.org> References: <000001c66f7f$b148b620$01010101@avalon.lan> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: RE: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 20:15:18 -0000 On Thu, 4 May 2006, No@SPAM@mgEDV.net wrote: > >> I recently did something like this. I have a webserver in a jail that >> needs to talk to a database, and the webserver is the only thing that >> should talk to the databse. > >> My solution was to use 2 jails: one for the webserver, and another for the > >> database. > >> Jail 1: >> * runs webserver >> * binds to real interface with real, routable IP > >> Jail 2: >> * runs database server >> * binds to loopback interface, isn't directly reachable >> from outside the box > > just to clarify that for me: you did setup this layout or you > tried to setup this? as i read it, i understand that you did! I did set it up. My scenario is up and functioning in production. > i tried exactly the same but currently jails are bound to the specific > ip-address assigned with them so i wonder, how the webserver on a real > ip-address can communicate with the database bound to the loopback ip? > if you could kindly tell, how you solved this issue (we're using 6.1). Packets leaving a jail are not limited to leaving the host machine on the same interface that the jail is bound to. The jail is limited to sending packets from, and receiving packets to the IP address that its bound to, but those packets can go out, or come in, any interface on the host machine. You don't need to do any special routing or firewall or NAT or anything to get a jail to be able to talk to the host. /-------------------------------------------------------------------------/ Psychiatrists say that one out of four people are mentally ill. Check three friends. If they're OK, you're it. finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub news://news.ephemeron.org/alt.lemurs /-------------------------------------------------------------------------/