From owner-freebsd-security@FreeBSD.ORG Sat Jul 12 23:56:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2C4B37B401 for ; Sat, 12 Jul 2003 23:56:23 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id B986C43F75 for ; Sat, 12 Jul 2003 23:56:22 -0700 (PDT) (envelope-from gemini@geminix.org) Message-ID: <3F110290.5060902@geminix.org> Date: Sun, 13 Jul 2003 08:56:16 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "V. Jones" References: <3083978.1058049961635.JavaMail.nobody@scooter.psp.pas.earthlink.net> In-Reply-To: <3083978.1058049961635.JavaMail.nobody@scooter.psp.pas.earthlink.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 19bamQ-00027h-00; Sun, 13 Jul 2003 08:56:19 +0200 cc: freebsd-security@freebsd.org Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2003 06:56:23 -0000 V. Jones wrote: > I'm setting up a server where I plan to use Jails to improve security > I also have installed and am configuring ipfilter. Here are my > questions: > > Because I'm using Jails, I will have to have multiple ip aliases on the > network interface. I will use ipfilter to specify what can go to each > of the addresses. (e.g., allow only incoming to port 80 on the jail > running apache). You don't have to have multiple IP aliases for multiple jails. Or at least there is no technical necessity for this (in FreeBSD 4.x, that is, don't kown about 5.x). If it's just about running server processes in their own jail (no port number conflicts) you can have all jails on the same IP address and do the IP filtering (if necessary at all in this scenario) based on port numbers. > Another jailed server will run mail services (pop, smtp, imap). If > I want to allow users to use web based email(over ssl of course), the > web server will have to communicate with the mail server. Is there > a chance of "information leakage" in this type of setup? Only the information you transmit will leak. That is, you define the information interchange between the jails, so pondering over the consequences is on your plate, too. Just assume that each jail has been broken into by an intruder with evil intentions and ask yourself what damage he can do with the data he can gather from the other jails. Paranoia in action, as it were. ;-) > Finally, I'd like to use SSL to offer secure web connections & secure email > without having to buy two certificates. Am I getting too cute if I accept > ssl connections on one ip address and use stunnel to route them to the > appropriate jailed server? In case of all jails on one IP address this problem goes away, too. You could define a generic domain name for the SSL stuff, for instance 'secure.domain.tld', get a certificate for that and use it for web as well as email and other purposes. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net