From owner-freebsd-security Tue Apr 2 21:21:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 4C89937B41B for ; Tue, 2 Apr 2002 21:21:21 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g335LBDu090465; Wed, 3 Apr 2002 17:21:11 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Wed, 3 Apr 2002 17:21:11 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: "David G . Andersen" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Jail with one IP? In-Reply-To: <20020402181402.A27138@cs.utah.edu> Message-ID: <20020403170935.R86973-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What I do is to alias extra IP's to the loopback interface. ie my ifconfig output looks something like this: lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet 127.0.0.2 netmask 0xff000000 inet 127.0.0.3 netmask 0xff000000 I then use those IP's for jails. I pass packets on with ipfw forwarding rules and via proxies on the externally available IP. Eg you can use this approach to set up a bunch of jailed apache servers and pass connections to them internally from a single front end proxy implemented with either apache or squid. The front end proxy can service many virtual domains with a single external IP. Presumably something similar would be possible with incoming smtp, but I haven't yet set that up. For ssh access to the jail environments it is easiest to set up on separate ports. I've wondered about setting up user accounts which immediately exec a second internal ssh connection to the appropriate jail using a key based login, but I don't know quite enough about whether there are ways to subvert this. Andrew McNaughton On Tue, 2 Apr 2002, David G . Andersen wrote: > Date: Tue, 2 Apr 2002 18:14:02 -0700 > From: David G . Andersen > To: freebsd-security@FreeBSD.ORG > Subject: Jail with one IP? > > Does anyone have warnings / experience with how Jail will behave > when used with a single IP address, as "chroot++"? > What I'm really looking for is something that's a > hybrid between chroot and jail; my machines have only a single IP address, > but I'd like the benefit of a real Jail environment, that people can access > through an sshd started on a different port from within the jail. > > It seems to have the dangers one would expect - root inside the jail can bind > TCP ports that take over those from the external jail environment (highly > bummer), but these can likely be fixed with a little bit of hackery, > or very easily by denying binding to ports < 1024 from the jail environment.. > are there any other caveats of which I should be aware before heading down > this road? Or has anyone else done this before and has lots of good advice? > > TIA, > > -Dave > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message