From owner-freebsd-questions@FreeBSD.ORG Tue Oct 13 14:18:40 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37AFA1065692 for ; Tue, 13 Oct 2009 14:18:40 +0000 (UTC) (envelope-from dino_vliet@yahoo.com) Received: from web51104.mail.re2.yahoo.com (web51104.mail.re2.yahoo.com [206.190.38.146]) by mx1.freebsd.org (Postfix) with SMTP id D14CF8FC17 for ; Tue, 13 Oct 2009 14:18:39 +0000 (UTC) Received: (qmail 80562 invoked by uid 60001); 13 Oct 2009 13:51:59 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1255441919; bh=Qqp9A9UaG1dK/VQxKJPXUhQF0otjhqcoziKxSgWzgF0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=6SWJwWIDg0M+EUPPo9TXNU4JImLPVucQPxg1hzwej5hYNZ0idNvipyOwWFDugYvOO9WQCh1AOc2jA9Q/7j8KNsINVyGJK712B5HK9XzAI3teokNDzqOPTFAK2wsdz+jtf1lmlNFFUXVE7cTU7j8GTIbT+lyQG7SfLcjc5L8UrLg= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=NyL074fwLl4EFLTC/p61BPFJOnTJKv0j+UGvu93xIHS2AiQo1vyS7kEyi00SMJghmoqHnU9vos1KCBSGPBhFNT6WDLtt4MRhcf93Age3CuLH4b4T12xZeqG5Ah6FbTDEumkUVpE5e8uRD7Ui9o6Cvm8nsaEDCIM9KlqnTzqowTY=; Message-ID: <815964.80537.qm@web51104.mail.re2.yahoo.com> X-YMail-OSG: eiX3tmYVM1lX2Sno.QoljSeosVF2oseZQXPsoB3CsLd9rbQ0s.kINN9L7SgxUbAIBHhUmGw7Ji5625cd4LNvsL8JSMsMLlOXjYzti05t0EHULZE2mL43QyQT00RIV4jaX3HVVhe6xDfe4R6RIeqKmYEpXK3v3gsRIADpuexvNNXEDgVLbgGHX4MQ2TiODqMKLgfoTqpLz4rekbL.3USYlG_ZGy0epV_TPCKD_HTeHVaKO7VychDh8sXvxRz6Pq1fySv2JDXsyh3SwCZJOQIV9uxOUulTtT_2nnereFk1s_3ReZrBg40TtlnI6kxWLujq_FZBi5d4PWknSDSBjwD0Du_bb95Hi1na7TG0HtBlGhzZByqN5W7JRuRv7w-- Received: from [167.202.201.4] by web51104.mail.re2.yahoo.com via HTTP; Tue, 13 Oct 2009 06:51:59 PDT X-Mailer: YahooMailClassic/7.0.14 YahooMailWebService/0.7.347.3 Date: Tue, 13 Oct 2009 06:51:59 -0700 (PDT) From: Dino Vliet To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: freebsd jail: web and database server config questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2009 14:18:40 -0000 Dear Freebsd people, =A0 To consolditae on resources I have configured a machine to run both a web a= nd database server (powering my database driven website).=20 =A0 Due to security concerns I'm contemplating on introducing a jailed environm= ent on this machine and want to know if this would be feasible. I have a fe= w questions for the freebsd community regarding this approach and hope some= one would give me some advice. =A0 Is it advisable/wise/okay/clever to run a webserver on my host system and a= database server on my jailed system? The webserver will need to connect to= the database system on startup and update the database based on client acc= ess. =A0 However, if a machine gets compromised, it would rather be the webserver, t= herefore running the webserver in the jailed environment seems better to me= . But how could that be done, if the webserver requires to connect through = tcp/ip to the database server running on the host system? I thought that a = key-feature of a jailed system is that it can't access resources outside th= e jail.=20 =A0 And how do I go around when I need to update my host system due to a securi= ty advisory. I heard the jailed environment will not be affected? So basica= lly that means I would need to create a new jail everytime I recompile (as = that's the way I'm using to stay current) =A0 Hope to hear from you, Brgds Dino=0A=0A=0A