From owner-freebsd-security@FreeBSD.ORG Tue Mar 7 18:00:35 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A590A16A422 for ; Tue, 7 Mar 2006 18:00:35 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27E4C43D45 for ; Tue, 7 Mar 2006 18:00:22 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.8/8.12.11) with ESMTP id k27I0LKU053547; Tue, 7 Mar 2006 10:00:21 -0800 (PST) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.13.4/8.13.4) with ESMTP id k27I0nQs057138; Tue, 7 Mar 2006 10:00:49 -0800 (PST) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.13.4/8.13.4/Submit) with ESMTP id k27I0mbE057135; Tue, 7 Mar 2006 10:00:49 -0800 (PST) (envelope-from bigby@ephemeron.org) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Tue, 7 Mar 2006 10:00:48 -0800 (PST) From: Bigby Findrake To: Cyril Jaouich , freebsd-security@freebsd.org In-Reply-To: <20060307150703.75574.qmail@web30609.mail.mud.yahoo.com> Message-ID: <20060307094404.B49310@home.ephemeron.org> References: <20060307150703.75574.qmail@web30609.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1857111318-1141754123=:49310" Content-ID: <20060307095554.M49310@home.ephemeron.org> Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2006 18:00:35 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1857111318-1141754123=:49310 Content-Type: TEXT/PLAIN; CHARSET=X-UNKNOWN; format=flowed Content-Transfer-Encoding: 8BIT Content-ID: <20060307095554.E49310@home.ephemeron.org> I recently did something like this. I have a webserver in a jail that needs to talk to a database, and the webserver is the only thing that should talk to the databse. My solution was to use 2 jails: one for the webserver, and another for the database. A jail can only bind to one IP. Presumably you want the webserver to be able to talk out of the box, so having the webserver jail bind to a loop-back address isn't really the way to go (without getting unnecessariy complex with all sorts of NATing and forwarding firewall rules). Jail 1: * runs webserver * binds to real interface with real, routable IP Jail 2: * runs database server * binds to loopback interface, isn't directly reachable from outside the box As a further piece of advice, if you're using jails at all, you're probably concerned with security. In case you are, you should always consider firewalling the jail to make sure that it can't reach things that you don't want it to. I usually implement a few stateful firewall rules to make it so that the jail cannot initiate connections outward, because if the jail is compromised, you (probably) want to make it so that it cannot be used as a platform to launch further attacks. For example: ipfw add check-state ipfw add allow tcp from any to $JAIL keep-state setup ipfw add deny ip from any to $JAIL ipfw add deny ip from $JAIL to any Or, if you know that the only service you want to be available on the jail is the web server, why allow any other access at all? ipfw add check-state ipfw add allow tcp from any to $JAIL 80 keep-state setup ipfw add deny ip from any to $JAIL ipfw add deny ip from $JAIL to any You would, of course, have to modify these rules to accomodate your database. On Tue, 7 Mar 2006, Cyril Jaouich wrote: > Hi, > > Running: Freebsd 6.0 > > I am wondering if it is possible to have acces to loopback ip in a jail. I > currently have a server running a jail. In the jail, there is a database and a > web server. I would like to be able to have the database only bind on a > loopback address and not on the jail's ip. > > Can this be done and how? > > Thanks > > -Cyril > > > > > > > __________________________________________________________ > Lèche-vitrine ou lèche-écran ? > magasinage.yahoo.ca > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > /-------------------------------------------------------------------------/ "I'm busy. What, you think these web-sites are gonna surf themselves???" finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub /-------------------------------------------------------------------------/ --0-1857111318-1141754123=:49310--