From owner-freebsd-questions@FreeBSD.ORG  Wed Jun  8 14:50:14 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 75F3C1065670
	for <questions@freebsd.org>; Wed,  8 Jun 2011 14:50:14 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es
	[85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 2FCC18FC14
	for <questions@freebsd.org>; Wed,  8 Jun 2011 14:50:13 +0000 (UTC)
Received: from gamma.wifi.locolomo.org (gamma.wifi.locolomo.org [172.16.1.5])
	by mail.locolomo.org (Postfix) with ESMTPSA id 4EC5F1C0841
	for <questions@freebsd.org>; Wed,  8 Jun 2011 16:50:12 +0200 (CEST)
Message-ID: <4DEF8C23.5010707@locolomo.org>
Date: Wed, 08 Jun 2011 16:50:11 +0200
From: =?ISO-8859-1?Q?Erik_N=F8rgaard?= <norgaard@locolomo.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
	rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: "questions@FreeBSD.org Questions" <questions@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: How to restrict jail's network access?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2011 14:50:14 -0000

Hi:

I'm planning to move services to run in jails. Two jails:

1: Mail related: postfix, cyrus imap and openldap
2: Web related: apache and postgresql

No service should be able to connect out of the jail to remote hosts, 
except for postfix that need to connect out to port 25 for delivery to 
other domains.

I don't want to allow a ssh out of a jail to the local node, as that 
could allow a compromised jail to jump to the host server - even if only 
theoretically.

Both jails need to access the named that runs chrooted on the host 
server but may not access remote DNS services.

Otherwise than this there is, any connection to remote nodes or the host 
server on the loopback interface must be blocked.

I don't have extra IPs to create jails with separate interfaces, but 
there is no conflicting port assignments so this shouldn't be a problem.

I have considered to isolate the jails by only offering a loopback 
interface and let the firewall impose these policies, but is this at all 
possible?

How would you go about implementing the above policies?

Thanks, Erik