From owner-freebsd-questions@FreeBSD.ORG Wed Apr 4 14:06:26 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC2BB1065672 for ; Wed, 4 Apr 2012 14:06:26 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 82D008FC14 for ; Wed, 4 Apr 2012 14:06:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; q=dns/txt; s=DKIM-NAME-SERVICES; d=a1poweruser.com; h=From:To:Cc:Subject:Message-ID:X-Sender:X-Envelope-From; l=500; bh=VMG16Cir+UxBwHR0EAaamqG0yToJczlRmSLS60wBaGU=; b=H0BnTgtvKXyHhwGuCbPII0ny1r0IH76rJJqsgXzjviaPD8WXr/lP487UnK1pnpmBZ49FCxLiC/7WZqK4lfsOc7zCLb5+/98o60o0H6zgwnj6LMIlGKo3zeSOB3j4UeEtx0ebHPvWq3LeoJMqNPepbP3jvG4p9cxU2dygG1NRfrc= Received: from [192.168.1.200] ([173.88.198.194]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 4 Apr 2012 07:06:25 -0700 Message-ID: <4F7C5561.9000208@a1poweruser.com> Date: Wed, 04 Apr 2012 10:06:25 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Andrea Venturoli References: <4F7C0365.1050201@netfence.it> In-Reply-To: <4F7C0365.1050201@netfence.it> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 04 Apr 2012 14:06:25.0464 (UTC) FILETIME=[1F4ED380:01CD126C] X-Sender: fbsd8@a1poweruser.com X-Envelope-From: fbsd8*a1poweruser.com Cc: freebsd-questions@freebsd.org Subject: Re: Best practices about Jails X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2012 14:06:26 -0000 Andrea Venturoli wrote: > Hello. > > Plase forgive the long post and the amount of questions, but I'm new to > jails and I'd like to be sure of what I'm doing before deploying more > than a test one. > Right now I need to run a commercial Java app, which, ideally, I would > forbid to access files outside its directory. > This might be done by simple chrooting it, but I read a jail is a better > solution, so I started with ezjails. > > First of all, I'm wondering whether it would be possible/useful to use > chroot even inside that jail. Any opinions? Possible yes, useful not at all. > > Second question: from inside the jail I can access all services on > localhost (eg. telnet localhost pop3, where a pop3 server is running on > the host). Can this be avoided, e.g. with ipfw? > Ideally, since this jail will run only one deamon and it will be > accessed through Apache mod_proxy from the host, I'll just need inbound > access to its port and outbound access to smtp and web proxy on the host > system. No direct access from/to other hosts. > Is this possible? Firewall in a jail will not work. Only the host firewall has access to the network. > > Next... ezjail's author suggests I have a copy of the port tree just for > the jails and, furthermore, a repository for distfiles for every jail. > Since this would waste a lot of space, I already used a single distfile > repository, but I'm also wondering whether it would be a bad idea to use > the host's port tree. I know lot of people do this and, keeping it tidy > with portsclean -CD, I wonder if it really would be a security risk in > my case. This is overkill. I single ports tree on the host is fine. Matter of fact I use packages for everything accept for php which I have to compile in apache module. I even pre-install all of php's dependents as packages before doing "make install" on the php port. As far as portsclean goes its only for the paranoid. > > Finally (for now :): I usually install portaudit and receive every day a > report about vulnerabilities in the host system's installed ports. What > about jails? Should I install portaudit there too and let them flood me > with reports? Is there a way to let the host's portaudit check jails too? If you dont have full ports tree in the jail then no need for portaudit in the jail. > > I'm sure I'll have other questions in some days... > Thanks in advance for now to anyone who will answer. Best practices is not to create a jail environment by hand as documented in the Freebsd handbook. The port utility qjail simplifies and automates the process to the point where you dont even have to know about the jail command. http://qjail.sourceforge.net/ use the port version for 8.x & 9.0 > > bye > av. > >