Date: Mon, 14 Jul 2003 11:44:57 +0200 From: Uwe Doering <gemini@geminix.org> To: "V. Jones" <vjones62@earthlink.net> Cc: freebsd-security@freebsd.org Subject: Re: jails, ipfilter & stunnel Message-ID: <3F127B99.7040700@geminix.org> In-Reply-To: <4346655.1058114953973.JavaMail.nobody@skeeter.psp.pas.earthlink.net> References: <4346655.1058114953973.JavaMail.nobody@skeeter.psp.pas.earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
V. Jones wrote: >>You don't have to have multiple IP aliases for multiple jails. Or at >>least there is no technical necessity for this (in FreeBSD 4.x, that is, >>don't kown about 5.x). If it's just about running server processes in >>their own jail (no port number conflicts) you can have all jails on the >>same IP address and do the IP filtering (if necessary at all in this >>scenario) based on port numbers. > > Okay, I didn't realize I could run more than one jail on one ip address. I guess if I needed ssh on each jailed server I could just make sure the port number is unique. True, sshd would cause a port conflict. Since you cannot inject processes into already running jails in FreeBSD 4.x you better have an sshd in each of them. I agree that different port numbers would be the way to go here. >>>Finally, I'd like to use SSL to offer secure web connections & secure >> >>email >> >>>without having to buy two certificates. Am I getting too cute if I >> >>accept >> >>>ssl connections on one ip address and use stunnel to route them to > > the > >>>appropriate jailed server? >> >>In case of all jails on one IP address this problem goes away, too. You >>could define a generic domain name for the SSL stuff, for instance >>'secure.domain.tld', get a certificate for that and use it for web as >>well as email and other purposes. >> >> Uwe >> > > This counfuses me - doesn't the host name have to match the certificate? Can two jails have the same host name too? Two jails can have the same name. With sysctl jail.set_hostname_allowed=[01] you can even configure whether you can set the host names from the inside, to whatever you want. Apart from this, a server's host name isn't really important for most services and daemons. You can usually set the names under which they are supposed to operate in their respective config files. This is certainly true for Apache, while POP3/IMAP4 daemons usually don't care about the host name they get contacted with. There it is just important that you use 'secure.domain.tld' on the client side, in order to match the certificate's domain name. And for SMTP you can point the DNS MX records to 'secure.domain.tld'. All this has nothing to do with the host name used for the respective jail. Hope this wasn't too confusing. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F127B99.7040700>