Date: Wed, 3 Apr 2002 17:21:11 +1200 (NZST) From: Andrew McNaughton <andrew@scoop.co.nz> To: "David G . Andersen" <danderse@cs.utah.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Jail with one IP? Message-ID: <20020403170935.R86973-100000@a2> In-Reply-To: <20020402181402.A27138@cs.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
What I do is to alias extra IP's to the loopback interface. ie my
ifconfig output looks something like this:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet 127.0.0.2 netmask 0xff000000
inet 127.0.0.3 netmask 0xff000000
I then use those IP's for jails. I pass packets on with ipfw
forwarding rules and via proxies on the externally available IP. Eg you
can use this approach to set up a bunch of jailed apache servers and pass
connections to them internally from a single front end proxy implemented
with either apache or squid. The front end proxy can service many virtual
domains with a single external IP.
Presumably something similar would be possible with incoming smtp, but I
haven't yet set that up.
For ssh access to the jail environments it is easiest to set up on
separate ports. I've wondered about setting up user accounts which
immediately exec a second internal ssh connection to the appropriate jail
using a key based login, but I don't know quite enough about whether
there are ways to subvert this.
Andrew McNaughton
On Tue, 2 Apr 2002, David G . Andersen wrote:
> Date: Tue, 2 Apr 2002 18:14:02 -0700
> From: David G . Andersen <danderse@cs.utah.edu>
> To: freebsd-security@FreeBSD.ORG
> Subject: Jail with one IP?
>
> Does anyone have warnings / experience with how Jail will behave
> when used with a single IP address, as "chroot++"?
> What I'm really looking for is something that's a
> hybrid between chroot and jail; my machines have only a single IP address,
> but I'd like the benefit of a real Jail environment, that people can access
> through an sshd started on a different port from within the jail.
>
> It seems to have the dangers one would expect - root inside the jail can bind
> TCP ports that take over those from the external jail environment (highly
> bummer), but these can likely be fixed with a little bit of hackery,
> or very easily by denying binding to ports < 1024 from the jail environment..
> are there any other caveats of which I should be aware before heading down
> this road? Or has anyone else done this before and has lots of good advice?
>
> TIA,
>
> -Dave
>
> --
> work: dga@lcs.mit.edu me: dga@pobox.com
> MIT Laboratory for Computer Science http://www.angio.net/
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020403170935.R86973-100000>