From owner-freebsd-security@FreeBSD.ORG Thu May 4 15:39:30 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B940216A400 for ; Thu, 4 May 2006 15:39:30 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A6B143D6B for ; Thu, 4 May 2006 15:39:25 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (gbshkj@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k44FdIBQ046876; Thu, 4 May 2006 17:39:23 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k44FdIpP046875; Thu, 4 May 2006 17:39:18 +0200 (CEST) (envelope-from olli) Date: Thu, 4 May 2006 17:39:18 +0200 (CEST) Message-Id: <200605041539.k44FdIpP046875@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net In-Reply-To: <001401c66f8c$6dd0e8b0$01010101@avalon.lan> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 04 May 2006 17:39:23 +0200 (CEST) Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 15:39:31 -0000 No@SPAM@mgEDV.net wrote: > > > In fact, it is a good idea to _always_ bind jails to non- > > routable loopback IPs. For example: > > > > jail 1 (webserver) on 127.0.0.2 > > jail 2 (database) on 127.0.0.3 > > > > If a service needs to be accessible from the outside, you > > can use IPFW FWD rules to forward packets destined to the > > real IP to the jail's loopback IP. > > ok, technically i get this, but wouldn't it confuse the daemons No, it doesn't confuse the daemons. Why should it? > and slow down the network connections if i use packet forwarding > for each packet let's say a daemon reads from syslog-services > and writes to databases? No, the overhead is negligible. The only thing that IPFW FWD does is to adjust the forwarding path of the packet. > > Of course there's no problem accessing the database from > > the webserver. Note that you have complete control over > > who can access what, by using your favourite packet filter > > (IPFW, IPF, PF). > > this part i definitely don't get. let's assume this one: > > 192.168.10.1 = jail ip of the ws > 127.0.0.1 = jail ip of the db Don't use those IPs. In particular it's probably not a good idea to use localhost as a jail IP. Use only loopback IPs (other than localhost), like the example that I wrote above. And of course you should use appropriate packetfilter rules to enforce what kind of access between the jails is allowed. Only allow what you need. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "... there are two ways of constructing a software design: One way is to make it so simple that there are _obviously_ no deficiencies and the other way is to make it so complicated that there are no _obvious_ deficiencies." -- C.A.R. Hoare, ACM Turing Award Lecture, 1980