From owner-freebsd-questions@FreeBSD.ORG Sun Mar 13 11:15:58 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A132E16A4CE for ; Sun, 13 Mar 2005 11:15:58 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3246243D2D for ; Sun, 13 Mar 2005 11:15:58 +0000 (GMT) (envelope-from bsdmail@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1209613wri for ; Sun, 13 Mar 2005 03:15:57 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=Og5fE4mRxRepzEEJjHlm6+JfzyFmuW2HmchcJhJRLMJg1oroU3HkKmqNziLvwhBl4eTg0ysPxy+DtQ+DETiATm3YqGhvOUw8gPuc4n+mmab6CLjjQeeycSDtFn0VXiBPBX3vWylspH6KxUctLnte3geUVzwJy8zpq4EspeNR5YQ= Received: by 10.54.54.16 with SMTP id c16mr2625830wra; Sun, 13 Mar 2005 03:15:57 -0800 (PST) Received: by 10.54.56.37 with HTTP; Sun, 13 Mar 2005 03:15:57 -0800 (PST) Message-ID: <8be663db05031303151d97a0e3@mail.gmail.com> Date: Sun, 13 Mar 2005 03:15:57 -0800 From: BSD Mail To: FreeBSD-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: To Jail behind NAT or not. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: BSD Mail List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Mar 2005 11:15:58 -0000 Greetings all, I have the following topology: Internet ----- Gateway ----- DMZ | LAN I'm using PF to redirect traffic to the DMZ machine which carries the following: bind9;postfix;dovecot(imaps,pop3s),openwebmail;apache13;isc dhcp;sfs,ftps I have ssl certs for services such as mail/web/ftp. The gateway machine has 3 NICs and doesn't have any service enabled on its external interface nor internal. Remote access is denied to the gateway only console access allowed. It only forwards traffic to the inside DMZ. Also my LAN is on a different subnet from the DMZ. If all my services are behind that NAT box is it premature or too much paranoid to have multiple jails one for postfix another for apache and so on..on the DMZ machine that is hosting all these services ? Or can I say that I'm protected to a good extent that jail won't give me any additional protection because services are behind NAT ? I use SSH keys to access anymachin on my network, and I have OTP configured if I needed access from outside my network for college. Thanks for the insight. -- Regards,