From owner-freebsd-security@FreeBSD.ORG Sun May 7 20:16:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9AEE16A402 for ; Sun, 7 May 2006 20:16:57 +0000 (UTC) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3822543D48 for ; Sun, 7 May 2006 20:16:57 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.11/8.12.11) with ESMTP id k47KGuWK032758; Sun, 7 May 2006 13:16:56 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.13.4/8.13.4) with ESMTP id k47KHTBv027278; Sun, 7 May 2006 13:17:29 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.13.4/8.13.4/Submit) with ESMTP id k47KHTRW027275; Sun, 7 May 2006 13:17:29 -0700 (PDT) (envelope-from bigby@ephemeron.org) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Sun, 7 May 2006 13:17:29 -0700 (PDT) From: Bigby Findrake To: freebsd-security@freebsd.org, nospam@mgedv.net In-Reply-To: <200605041415.k44EFYKF043028@lurza.secnetix.de> Message-ID: <20060505142945.J26390@home.ephemeron.org> References: <200605041415.k44EFYKF043028@lurza.secnetix.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 20:16:57 -0000 On Thu, 4 May 2006, Oliver Fromme wrote: > No@SPAM@mgEDV.net wrote: > > > > > I recently did something like this. I have a webserver in a jail that > > > needs to talk to a database, and the webserver is the only thing that > > > should talk to the databse. > > > > > My solution was to use 2 jails: one for the webserver, and another for the > > > > > database. > > > > > Jail 1: > > > * runs webserver > > > * binds to real interface with real, routable IP > > > > > Jail 2: > > > * runs database server > > > * binds to loopback interface, isn't directly reachable > > > from outside the box > > > > just to clarify that for me: you did setup this layout or you > > tried to setup this? as i read it, i understand that you did! > > > > i tried exactly the same but currently jails are bound to the specific > > ip-address assigned with them so i wonder, how the webserver on a real > > ip-address can communicate with the database bound to the loopback ip? > > if you could kindly tell, how you solved this issue (we're using 6.1). > > In fact, it is a good idea to _always_ bind jails to non- > routable loopback IPs. For example: > > jail 1 (webserver) on 127.0.0.2 > jail 2 (database) on 127.0.0.3 > > If a service needs to be accessible from the outside, you > can use IPFW FWD rules to forward packets destined to the > real IP to the jail's loopback IP. Wouldn't you need to use some form of NAT and not forwarding? This is from IPFW(8) (6.0-RELEASE): The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them. For packets forwarded locally, the local address of the socket will be set to the original destination address of the packet. It seems to me that the jail might reject the packets, and even if it didn't, would the replies from the jail get the right source address put on them? I haven't tried what you're talking about, so I'm just guessing. Forwarding doesn't seem to be the way to accomplish what you're talking about. /-------------------------------------------------------------------------/ A train stops at a train station, a bus stops at a bus station. On my desk, I have a workstation... finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub news://news.ephemeron.org/alt.lemurs /-------------------------------------------------------------------------/