Date: Wed, 4 Apr 2012 17:31:58 -0500 From: Adam Vande More <amvandemore@gmail.com> To: Andrea Venturoli <ml@netfence.it> Cc: freebsd-questions@freebsd.org Subject: Re: Best practices about Jails Message-ID: <CA%2BtpaK0M-T==FbU4QUr1orNgMoBNxj6LBp-NSng-3Pazk2TNkg@mail.gmail.com> In-Reply-To: <4F7C0365.1050201@netfence.it> References: <4F7C0365.1050201@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 4, 2012 at 3:16 AM, Andrea Venturoli <ml@netfence.it> wrote: > Second question: from inside the jail I can access all services on > localhost (eg. telnet localhost pop3, where a pop3 server is running on the > host). Can this be avoided, e.g. with ipfw? > Ideally, since this jail will run only one deamon and it will be accessed > through Apache mod_proxy from the host, I'll just need inbound access to > its port and outbound access to smtp and web proxy on the host system. No > direct access from/to other hosts. > Is this possible? > I use http://druidbsd.sourceforge.net/vimage.shtml to manage VIMAGE jails. It works well. I don't use any of the jail frameworks in ports because I don't run a large amount of jails which is where one sees the greatest benefit from them. Of course they make certain optimization and procedures easier, but there is something to be said for learning the canonical way jails operate before implementing them in a more abstract framework. My statements are not considering the rc.d/jail* and vimage package as frameworks(although they are in a way at least). -- Adam Vande More
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BtpaK0M-T==FbU4QUr1orNgMoBNxj6LBp-NSng-3Pazk2TNkg>