From owner-freebsd-questions@FreeBSD.ORG Sun Mar 23 07:23:56 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2CF9D1065673 for ; Sun, 23 Mar 2008 07:23:56 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 955638FC13 for ; Sun, 23 Mar 2008 07:23:55 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m2N7NfD3069394; Sun, 23 Mar 2008 07:23:48 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.5.0 smtp.infracaninophile.co.uk m2N7NfD3069394 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1206257028; bh=6tHsHH5YggsTa6 vsfNDsLg45552kn9DGHcuxGJmP2e4=; h=Message-ID:Date:From:MIME-Version: To:CC:References:In-Reply-To:Content-Type:Cc:Content-Type:Date: From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Message- ID:=20<47E60577.6080002@infracaninophile.co.uk>|Date:=20Sun,=2023=2 0Mar=202008=2007:23:35=20+0000|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User-Agen t:=20Thunderbird=202.0.0.12=20(X11/20080310)|MIME-Version:=201.0|To :=20David=20Allen=20|CC:=20freebsd- questions@freebsd.org|Subject:=20Re:=20A=20few=20jail=20questions|R eferences:=20<2daa8b4e0803221937m7b1c2016h663ade8749272bde@mail.gma il.com>|In-Reply-To:=20<2daa8b4e0803221937m7b1c2016h663ade8749272bd e@mail.gmail.com>|X-Enigmail-Version:=200.95.6|Content-Type:=20mult ipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"applic ation/pgp-signature"=3B=0D=0A=20boundary=3D"------------enigD75EFEF D8014AF058C3BA74D"; b=p8gEsqWVflNVD0boz4rBjfMDlUnWPLcS9rHzoubpd/y32 l+Ly3XhQb3iDKWcs5/ppNbMc7rzAVR6wbl9fdTPyIv9LND9iEjlBgJVq4cmgyZY8TAq 3/YCwSE8YarsQReB0DImqPkM/qexLPrRYHGAALxw7YvqptsiWXuU45jkrGw= Message-ID: <47E60577.6080002@infracaninophile.co.uk> Date: Sun, 23 Mar 2008 07:23:35 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.12 (X11/20080310) MIME-Version: 1.0 To: David Allen References: <2daa8b4e0803221937m7b1c2016h663ade8749272bde@mail.gmail.com> In-Reply-To: <2daa8b4e0803221937m7b1c2016h663ade8749272bde@mail.gmail.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigD75EFEFD8014AF058C3BA74D" X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Sun, 23 Mar 2008 07:23:48 +0000 (GMT) X-Virus-Scanned: ClamAV 0.92.1/6334/Sun Mar 23 06:16:06 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: A few jail questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2008 07:23:56 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD75EFEFD8014AF058C3BA74D Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable David Allen wrote: > I've recently been examining the use of jails in FreeBSD, and I have so= me > questions I hope someone can shed some light on with respect to running= > virtual servers in jails. >=20 > 1. Upgrading. This probably a "It Depends" question, but if a host sys= tem > is upgraded (within version numbers), will the new kernel and world on = the > host system cause potential problems with existing jails when they are > restarted? Or do the jails need to be rebuilt before they are started?= In general, no. It is quite possible to host a jail running effectively = a different version of FreeBSD than the base machine -- a technique that is= used extensively in the ports build cluster. The emulation is not perfect, an= d of course the kernel that is used is the one from the base system, but it= 's fine for most purposes. If it's just a case of slight lag between updating the base system and th= e jails, then I wouldn't worry about it. > 2. Localhost. Jails seem to be implemented using IP address aliasing, = so > anything within the jail that wants to, or is configured to, bind to th= e > localhost address, now gets bound to the jail's IP address. This means= > that what was once local, is now publically available. Will running a > firewall on the host system work in such cases? Yes, a firewall is a good idea. One very effective method to secure a ja= il is to create the jail bound to the *loopback* interface of the main host,= and then use firewall redirect rules to send the wanted traffic to the jail's= =20 IP. eg. using pf: jail_int =3D "127.0.0.2" jail_ext =3D "12.34.56.78" [...] nat on $ext_if proto { tcp udp } \ from $jail_int \ to !$jail_int -> $jail_ext static-port rdr on $ext_if proto tcp \ from any \ to $jail_ext port { 22 80 } -> $jail_int rdr on $ext_if proto udp \ from any \ to $jail_ext port 53 -> $jail_int So in this case on tcp traffic to ports 22 nd 80 or udp traffic to port 5= 3 is redirected into the jail. Variations on this technique are about the only way to effectively give a= jail more than one IP. > 3. Sendmail. The usual approach of setting "sendmail_enable=3DNO" (or = using > DAEMON_OPTIONS) won't prevent sendmail running in a jail from starting = up > and listening for incoming mail from external hosts. Short of disablin= g > sendmail entirely, I'm wondering what approach most people use as a > workaround. Fixed by the bind-jail-to-loopback trick above. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigD75EFEFD8014AF058C3BA74D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkfmBX0ACgkQ8Mjk52CukIxZigCgjP/1kzVY/EgMa99KgsqQNQi1 OZwAoI/v+3En1BB4cwKYTReWTfbiE6pd =aoz5 -----END PGP SIGNATURE----- --------------enigD75EFEFD8014AF058C3BA74D--