From owner-freebsd-questions@FreeBSD.ORG Wed Aug 11 01:07:36 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1802E1065678 for ; Wed, 11 Aug 2010 01:07:36 +0000 (UTC) (envelope-from rrborg@speakeasy.net) Received: from mail1.sea5.speakeasy.net (mail1.sea5.speakeasy.net [69.17.117.39]) by mx1.freebsd.org (Postfix) with ESMTP id E8C608FC19 for ; Wed, 11 Aug 2010 01:07:35 +0000 (UTC) Received: (qmail 19623 invoked from network); 11 Aug 2010 01:07:35 -0000 Received: from c-67-187-169-218.hsd1.ca.comcast.net (HELO [192.168.1.141]) (rrborg@[67.187.169.218]) (envelope-sender ) by mail1.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 11 Aug 2010 01:07:35 -0000 Message-ID: <4C61F7D4.6000905@speakeasy.net> Date: Tue, 10 Aug 2010 18:07:32 -0700 From: Rocky Borg User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.11) Gecko/20100711 Thunderbird/3.0.6 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <268321.67123.qm@web24608.mail.ird.yahoo.com> <4C61E8B1.7050605@a1poweruser.com> In-Reply-To: <4C61E8B1.7050605@a1poweruser.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: How to connect a jail to the web ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2010 01:07:36 -0000 On 8/10/2010 5:02 PM, Fbsd8 wrote: > 1. ping is a security risk from within a jail and is disabled by > design. (read jail(8) for details). No use using a jail if the first > thing you do is re-enable ping in the jail. To test for public > internet connection from within a jail use dig or whois commands. > There is a vast difference between testing a network connection and leaving something in for live deployment. Tools like ping and traceroute are for network diagnostics. You can easily run into a situation where dig and whois don't work but ping/traceroute will in which case you quickly realize hostnames aren't resolving in a jail (or you can find out where exactly packets stopped at). Meanwhile the person using only dig and whois might be spinning their wheels trying to fix problems that aren't really problems. They might of created a jail and have everything setup except they forgot to create an /etc/resolv.conf in the jail. There is nothing wrong with allowing raw sockets to get up and running and then changing it back (the jail man page states to use caution with raw sockets not a blatant don't do it). > 2. Using the hosts firewall to drive traffic to a jail is a sign you > have your jail incorrectly configured or do not understand how jails > are intended to work. > If you have jails assigned to non routable ip's (i.e. 10.0.0.2, 10.0.0.3) how else would you redirect traffic coming in from your hosts ip:(http_port, dns_port, etc..) to the corresponding jail that handles it. I've read a bunch of stuff on jails and unless I missed something (which is totally possible) using a NAT that's part of a firewall seems like pretty standard fare. How else would you go about it? > 3. Jail do not have a network stack of their own, so they cant have a > firewall. The host's firewall and and network stack are in control. > The documentation is rather sparse since it's so new and I personally haven't used it but FreeBSD 8 has VIMAGE (network stack virtualization). http://wiki.freebsd.org/Image/VNETSamples http://bsdbased.com/2009/12/06/freebsd-8-vimage-epair-howto http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet > 4. There are 2 utilities for creating jails. Qjail the better > documented of the 2, is designed for the novice which clearly you are. > I strongly suggest you checkout > http://sourceforge.net/projects/qjail You should probably preface this by saying you're the author of Qjail and have been actively promoting it in a few places including the fbsd forums. Nothing wrong with that I guess, but I still haven't been able to figure out how it's any different(better?) than ezjail(which has both an excellent website and man page).