Date: Wed, 08 Jun 2011 16:50:11 +0200 From: =?ISO-8859-1?Q?Erik_N=F8rgaard?= <norgaard@locolomo.org> To: "questions@FreeBSD.org Questions" <questions@freebsd.org> Subject: How to restrict jail's network access? Message-ID: <4DEF8C23.5010707@locolomo.org>
next in thread | raw e-mail | index | archive | help
Hi: I'm planning to move services to run in jails. Two jails: 1: Mail related: postfix, cyrus imap and openldap 2: Web related: apache and postgresql No service should be able to connect out of the jail to remote hosts, except for postfix that need to connect out to port 25 for delivery to other domains. I don't want to allow a ssh out of a jail to the local node, as that could allow a compromised jail to jump to the host server - even if only theoretically. Both jails need to access the named that runs chrooted on the host server but may not access remote DNS services. Otherwise than this there is, any connection to remote nodes or the host server on the loopback interface must be blocked. I don't have extra IPs to create jails with separate interfaces, but there is no conflicting port assignments so this shouldn't be a problem. I have considered to isolate the jails by only offering a loopback interface and let the firewall impose these policies, but is this at all possible? How would you go about implementing the above policies? Thanks, Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DEF8C23.5010707>