From owner-freebsd-security@FreeBSD.ORG Thu May 4 15:07:12 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C381B16A484 for ; Thu, 4 May 2006 15:07:12 +0000 (UTC) (envelope-from nospam@mgedv.net) Received: from mgedv.at (mail.mgedv.at [195.3.87.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0965943D46 for ; Thu, 4 May 2006 15:07:11 +0000 (GMT) (envelope-from nospam@mgedv.net) Received: from metis (localhost [127.0.0.1]) by mgedv.at (SMTPServer) with ESMTP id D2125186864; Thu, 4 May 2006 17:07:00 +0200 (MEST) From: "No@SPAM@mgEDV.net" To: Date: Thu, 4 May 2006 17:07:15 +0200 Message-ID: <001401c66f8c$6dd0e8b0$01010101@avalon.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcZvhTUr30GjDFkITxGWAZgnE7GGqQABlB6w X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <200605041415.k44EFYKF043028@lurza.secnetix.de> Cc: 'Oliver Fromme' Subject: RE: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 15:07:13 -0000 > In fact, it is a good idea to _always_ bind jails to non- > routable loopback IPs. For example: > jail 1 (webserver) on 127.0.0.2 > jail 2 (database) on 127.0.0.3 > If a service needs to be accessible from the outside, you > can use IPFW FWD rules to forward packets destined to the > real IP to the jail's loopback IP. ok, technically i get this, but wouldn't it confuse the daemons and slow down the network connections if i use packet forwarding for each packet let's say a daemon reads from syslog-services and writes to databases? > Of course there's no problem accessing the database from > the webserver. Note that you have complete control over > who can access what, by using your favourite packet filter > (IPFW, IPF, PF). this part i definitely don't get. let's assume this one: 192.168.10.1 = jail ip of the ws 127.0.0.1 = jail ip of the db sending to 127.0.0.1 is not possible on 192.168.134.1 (kernel re-routes it to 192.168.134.1 if man jail is correct) if i setup forwarding rules i'd have to setup something for the real ip's port, no? and, i assumed that the setup mentioned can live without additional firewall rules. i for sure have some "what the hell... how-to" problem with jails, currently ;-)