From owner-freebsd-questions@FreeBSD.ORG Fri Oct 15 13:54:45 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6946A106566B for ; Fri, 15 Oct 2010 13:54:45 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id E66C48FC18 for ; Fri, 15 Oct 2010 13:54:44 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1P6kk6-0002a1-M3 for freebsd-questions@freebsd.org; Fri, 15 Oct 2010 15:54:42 +0200 Received: from lara.cc.fer.hr ([161.53.72.113]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 15 Oct 2010 15:54:42 +0200 Received: from ivoras by lara.cc.fer.hr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 15 Oct 2010 15:54:42 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Ivan Voras Date: Fri, 15 Oct 2010 15:54:35 +0200 Lines: 44 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: lara.cc.fer.hr User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.9) Gecko/20100518 Thunderbird/3.0.4 In-Reply-To: X-Enigmail-Version: 1.0.1 X-Mailman-Approved-At: Mon, 18 Oct 2010 11:53:12 +0000 Subject: Re: Jail question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Oct 2010 13:54:45 -0000 On 10/14/10 18:20, Matthew Law wrote: > I have a single box on which I would like to run openvpn, smtp (postfix, > dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also > acts as a network gateway so it would give an attacker carte blanche to > the internal nets if it was compromised, which makes me nervous. The plan > is to run openvpn as the only unjailed service and the rest of the > services in a single jail or their own jails. > > I have never touched jails before and I'm a bit unsure of the best way to > go. I realise that I can jail a service or a copy of the whole system > (service would be preferable for space efficiency) but I am unclear on how > to deal with IP addresses in jailed environments and if I should create > individual jails or a single jail for all services. At the moment I am > leaning toward a single system jail for everything so I can keep the space > in which openvpn runs as uncluttered as possible and also have a single > postgres instance shared by the other services. Basically, if any of the > public services in the jail are compromised I would like to make it very > hard for the attacker to see the internal network. Since jails can do many things there are many "helper" utilities that can do much to simplify the process. If you can hack python, you can, for example, modify my script at http://ivoras.sharanet.org/stuff/mkjails.py which I've used to create a thousand very light-weight jails which are started and managed using only standard FreeBSD tools. In any case, read rc.conf(5) man page for the jail_* settings. > If I use this scheme must I use separate public IPs for openvpn and the > services jail or is it possible to use a single IP or some NAT/PAT scheme? > -this box currently has 4 x NICs split into 2x lagg interfaces in failover > mode (one public, one private), if that makes any difference.... This is the more complex question; I think that everything which needs direct access to the NIC (i.e. BPF, DHCP, IPFW, etc.) will need to be run on the host system. TCP services will work inside jails without problems, but with jails it's almost the same as if they were on another system. If you do use NAT you will have to configure it on the host. Instead, you can also use TCP proxies (like bsdproxy). It's up to you how much complexity do you want in your system, but for simplicity I would set up a single outward-facing IP address and then proxy TCP services where I need them.