From owner-freebsd-questions@FreeBSD.ORG  Wed Jun  8 15:30:04 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 356FE106564A
	for <questions@freebsd.org>; Wed,  8 Jun 2011 15:30:04 +0000 (UTC)
	(envelope-from aimass@yabarana.com)
Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com
	[209.85.214.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 043E58FC16
	for <questions@freebsd.org>; Wed,  8 Jun 2011 15:30:02 +0000 (UTC)
Received: by iwn33 with SMTP id 33so736608iwn.13
	for <questions@freebsd.org>; Wed, 08 Jun 2011 08:30:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.207.148 with SMTP id fy20mr2520915ibb.186.1307547002339;
	Wed, 08 Jun 2011 08:30:02 -0700 (PDT)
Sender: aimass@yabarana.com
Received: by 10.231.13.139 with HTTP; Wed, 8 Jun 2011 08:30:02 -0700 (PDT)
In-Reply-To: <4DEF8C23.5010707@locolomo.org>
References: <4DEF8C23.5010707@locolomo.org>
Date: Wed, 8 Jun 2011 11:30:02 -0400
X-Google-Sender-Auth: GoVAv2MYuPU1Z8Ve_tNrGFNan10
Message-ID: <BANLkTikHNkMiFWESqftS9Jqh3J358cZOfA@mail.gmail.com>
From: Alejandro Imass <ait@p2ee.org>
To: =?ISO-8859-1?Q?Erik_N=F8rgaard?= <norgaard@locolomo.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "questions@FreeBSD.org Questions" <questions@freebsd.org>
Subject: Re: How to restrict jail's network access?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2011 15:30:04 -0000

On Wed, Jun 8, 2011 at 10:50 AM, Erik N=F8rgaard <norgaard@locolomo.org> wr=
ote:
> Hi:
>
> I'm planning to move services to run in jails. Two jails:
>
> 1: Mail related: postfix, cyrus imap and openldap
> 2: Web related: apache and postgresql
>
> No service should be able to connect out of the jail to remote hosts, exc=
ept
> for postfix that need to connect out to port 25 for delivery to other
> domains.
>

Jails usually run in a private network by default, each has a private
IP which is alias of the lo device
In fact you usually have explictly NAT ports from the base system to the Ja=
ils.

Try EzJail (yep. easy piecy as it's name suggests) and check-out these
references:

http://erdgeist.org/arts/software/ezjail/
http://www.freebsddiary.org/ezjail.php
http://www.scottro.net/qnd/qnd-ezjail.html
http://www.bsdguides.org/guides/freebsd/security/manage_jails


Best,

--
Alejandro Imass

P.S. you can always hire you initial set-up/training, I'm sure many
here would be more than happy to do so ;-)