From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 07:16:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A72137B401 for ; Mon, 14 Jul 2003 07:16:24 -0700 (PDT) Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id C333343F93 for ; Mon, 14 Jul 2003 07:16:23 -0700 (PDT) (envelope-from vjones62@earthlink.net) Received: from rowlf.psp.pas.earthlink.net ([207.217.78.187]) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 19c47r-0000Wj-00 for freebsd-security@freebsd.org; Mon, 14 Jul 2003 07:16:23 -0700 Received: from [207.217.78.203] by EarthlinkWAM via HTTP; Mon Jul 14 07:16:23 PDT 2003 Message-ID: <4654247.1058192183103.JavaMail.nobody@rowlf.psp.pas.earthlink.net> Date: Mon, 14 Jul 2003 10:13:46 -0700 (PDT) From: "V. Jones" To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Web Access Mail version 3.0 Subject: Re: Re: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 14:16:24 -0000 > >>You don't have to have multiple IP aliases for multiple jails. Or at > >>least there is no technical necessity for this (in FreeBSD 4.x, that is, > >>don't kown about 5.x). If it's just about running server processes in > >>their own jail (no port number conflicts) you can have all jails on the > >>same IP address and do the IP filtering (if necessary at all in this > >>scenario) based on port numbers. > > > > Okay, I didn't realize I could run more than one jail on one ip address. > I guess if I needed ssh on each jailed server I could just make sure the > port number is unique. > > True, sshd would cause a port conflict. Since you cannot inject > processes into already running jails in FreeBSD 4.x you better have an > sshd in each of them. I agree that different port numbers would be the > way to go here. > > >>>Finally, I'd like to use SSL to offer secure web connections & secure > >> > >>email > >> > >>>without having to buy two certificates. Am I getting too cute if I > >> > >>accept > >> > >>>ssl connections on one ip address and use stunnel to route them to > > > > the > > > >>>appropriate jailed server? > >> > >>In case of all jails on one IP address this problem goes away, too. You > >>could define a generic domain name for the SSL stuff, for instance > >>'secure.domain.tld', get a certificate for that and use it for web as > >>well as email and other purposes. > >> > >> Uwe > >> > > > > This counfuses me - doesn't the host name have to match the certificate? > Can two jails have the same host name too? > > Two jails can have the same name. With > > sysctl jail.set_hostname_allowed=[01] > > you can even configure whether you can set the host names from the > inside, to whatever you want. > > Apart from this, a server's host name isn't really important for most > services and daemons. You can usually set the names under which they > are supposed to operate in their respective config files. This is > certainly true for Apache, while POP3/IMAP4 daemons usually don't care > about the host name they get contacted with. There it is just important > that you use 'secure.domain.tld' on the client side, in order to match > the certificate's domain name. And for SMTP you can point the DNS MX > records to 'secure.domain.tld'. All this has nothing to do with the > host name used for the respective jail. > > Hope this wasn't too confusing. > > Uwe > Okay, thanks. I'll have to do some experimenting and see how it works.