From owner-freebsd-jail@FreeBSD.ORG Mon Jul 29 21:19:53 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id ABEF6427 for ; Mon, 29 Jul 2013 21:19:53 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from fmd1s.ukr.net (fmd1s.ukr.net [195.214.192.43]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5D354216F for ; Mon, 29 Jul 2013 21:19:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=4G2VZmM3LRAzj4f3HnTQL4CA7k+7JfosYC8p7aPdwRQ=; b=gI7kVm/tzm4GJVsLMa1WV4ZHmZ+p4DTA2Zm44mqkuWfhsXR+cVkeFt8u8TPXS7BB0+eawLJ7l0+BuEw1xeqsrH1AEXk9u1+Snx1ZGormF/PA/1ZYFoo9fBP0sbLcyCO0LS8tz+JHeYBiFyBuQbOBajkM3ghMqKKg6SHtOikYKfU=; Received: from [10.0.10.93] (helo=zebra-x17.ukr.net) by fmd1s.ukr.net with smtp ID 1V3uP9-0001w2-GR for freebsd-jail@freebsd.org/RC:1; Mon, 29 Jul 2013 23:50:55 +0300 Date: Mon, 29 Jul 2013 23:50:55 +0300 From: wishmaster Subject: Re: jail design To: Ollivier Robert X-Mailer: freemail.ukr.net 5.0 Message-Id: <1375129684.51112329.bbke8h7m@zebra-x17.ukr.net> In-Reply-To: <20130729134335.GD13529@roberto02-aw.erc.corp.eurocontrol.int> References: <20130729134335.GD13529@roberto02-aw.erc.corp.eurocontrol.int> MIME-Version: 1.0 Received: from artemrts@ukr.net by zebra-x17.ukr.net; Mon, 29 Jul 2013 23:50:55 +0300 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2013 21:19:53 -0000 --- Original message --- From: "Ollivier Robert" Date: 29 July 2013, 16:44:11 > Hello, > > I have a new server I'm going to run all my services on (www, smtp/imap, and so on). Running 9.2-BETA1, full ZFS-on-root. > > What is the best practices about jails knowing that: > - I have only one IPv4 > - I have a full /48 IPv6 to play with > > I've looked at ezjail which is doing most of what I need but it does not support ip4/ip6=inherit parameters (and no jail.conf support either) so my networking setup is more complicated. All the other packages like qjail have only limited ZFS support. ezjail is good tool, but not suitable for vnet, so from my experience: - I use slightly patched ezjail for create jail environment, update and so on. Also I have made 'newjail' suitable for login and network and have populated it with base packages like mc, perl and so on. - I use jail2 from ports as startup script which reads configs from jail.conf, not from rc.conf - I use vnet jails which communicate with world and each others via epair interface - as firewall - ipfw, disabled in each jails, but filter on each epair*a interface. ipfw configured with per-interface acl. > Do I need to setup pf to redirect all traffic in/out for specific ports to my jails? Or do I try to shoehorn "inherit" into ezjail? Is inherit easier to deal with? What are the security implications? > > I need something as easy as ezjail or a way to tweek it, with > - one jail for smtp/imap > - one for www stuff, ideally one jail per hosted domain (using nginx) Use nginx in separate jail with virtual hosts. Why do you need vhost/jail? > > I'm a jail newbie, in case you haven't found it already :) > > Thanks, > > -- > Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.net > In memoriam to Ondine, our 2nd child: http://ondine.keltia.net/ > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"