From owner-freebsd-jail@FreeBSD.ORG Mon Jul 29 13:44:02 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 0EB55FCF for ; Mon, 29 Jul 2013 13:44:02 +0000 (UTC) (envelope-from roberto@keltia.net) Received: from keltia.net (cl-90.mrs-01.fr.sixxs.net [IPv6:2a01:240:fe00:59::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 69A1B2703 for ; Mon, 29 Jul 2013 13:44:01 +0000 (UTC) Received: from roberto02-aw.erc.corp.eurocontrol.int (aran.keltia.net [88.191.250.24]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: roberto) by keltia.net (Postfix) with ESMTPSA id 8BFC052AE for ; Mon, 29 Jul 2013 15:43:59 +0200 (CEST) Date: Mon, 29 Jul 2013 15:43:58 +0200 From: Ollivier Robert To: freebsd-jail@freebsd.org Subject: jail design Message-ID: <20130729134335.GD13529@roberto02-aw.erc.corp.eurocontrol.int> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: MacOS X / Macbook Pro - FreeBSD 7.2 / Dell D820 SMP User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2013 13:44:02 -0000 Hello, I have a new server I'm going to run all my services on (www, smtp/imap, and so on). Running 9.2-BETA1, full ZFS-on-root. What is the best practices about jails knowing that: - I have only one IPv4 - I have a full /48 IPv6 to play with I've looked at ezjail which is doing most of what I need but it does not support ip4/ip6=inherit parameters (and no jail.conf support either) so my networking setup is more complicated. All the other packages like qjail have only limited ZFS support. Do I need to setup pf to redirect all traffic in/out for specific ports to my jails? Or do I try to shoehorn "inherit" into ezjail? Is inherit easier to deal with? What are the security implications? I need something as easy as ezjail or a way to tweek it, with - one jail for smtp/imap - one for www stuff, ideally one jail per hosted domain (using nginx) I'm a jail newbie, in case you haven't found it already :) Thanks, -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.net In memoriam to Ondine, our 2nd child: http://ondine.keltia.net/