From owner-freebsd-security@FreeBSD.ORG Wed Mar 8 21:17:39 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41E9216A420 for ; Wed, 8 Mar 2006 21:17:39 +0000 (GMT) (envelope-from cjaouich@yahoo.ca) Received: from web30602.mail.mud.yahoo.com (web30602.mail.mud.yahoo.com [68.142.200.125]) by mx1.FreeBSD.org (Postfix) with SMTP id 1425643D7D for ; Wed, 8 Mar 2006 21:17:34 +0000 (GMT) (envelope-from cjaouich@yahoo.ca) Received: (qmail 73973 invoked by uid 60001); 8 Mar 2006 21:17:34 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.ca; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=QCwh5PyFM75Zt71/bmI6i9+5PkYQoWbCB8PGsnbqWc54Dn2/iC9kZTcyp9fEVEnpdMotbITmSGR73n4h5boi2K4uT0mOOVUiHn973qhQ45RzkfvlEl0NOpF3XbqFvenzaOMYt97psXz1wZMuFugPQduj2mppmWn2w6q3rNYEYe0= ; Message-ID: <20060308211734.73971.qmail@web30602.mail.mud.yahoo.com> Received: from [199.22.61.2] by web30602.mail.mud.yahoo.com via HTTP; Wed, 08 Mar 2006 16:17:34 EST Date: Wed, 8 Mar 2006 16:17:34 -0500 (EST) From: Cyril Jaouich To: freebsd-security@freebsd.org In-Reply-To: <20060308130742.A11454@home.ephemeron.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: SUMMARY: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Mar 2006 21:17:39 -0000 Well well, I have received a lot of answers and solutions. Setup: Server A hosts a jail B Jail B is Webserver and Database server Want I want to do: Limit acces to the database by binding the database on the loopback address (127.0.0.1). Since you can only use 1 ip in a jail and I am running a Web server it has to be a routed address (non RFC1918). Also, when a process inside a jail connects to the loopback (127.0.0.1), you hit the jail's ip and not the loopback ip of the master server (where the jail sits). In order to secure my database, it's best to use PF to limit exterior acces. You can also setup another jail that will use an RFC1919 address. Thanks to: Bigby Findrake Axel Scheepers Josh Bell Ricardo A. Reis Jon -Cyril __________________________________________________________ Lèche-vitrine ou lèche-écran ? magasinage.yahoo.ca