Date: Thu, 14 Oct 2010 14:19:51 -0400 (EDT) From: doug <doug@fledge.watson.org> To: Matthew Law <matt@webcontracts.co.uk> Cc: freebsd-questions@FreeBSD.org Subject: Re: Jail question Message-ID: <alpine.BSF.2.00.1010141402280.86531@fledge.watson.org> In-Reply-To: <a326819258145be7f52702ca68402e23.squirrel@www.webcontracts.co.uk> References: <a326819258145be7f52702ca68402e23.squirrel@www.webcontracts.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 14 Oct 2010, Matthew Law wrote: > I have a single box on which I would like to run openvpn, smtp (postfix, > dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also > acts as a network gateway so it would give an attacker carte blanche to > the internal nets if it was compromised, which makes me nervous. The plan > is to run openvpn as the only unjailed service and the rest of the > services in a single jail or their own jails. > > I have never touched jails before and I'm a bit unsure of the best way to > go. I realise that I can jail a service or a copy of the whole system > (service would be preferable for space efficiency) but I am unclear on how > to deal with IP addresses in jailed environments and if I should create > individual jails or a single jail for all services. At the moment I am > leaning toward a single system jail for everything so I can keep the space > in which openvpn runs as uncluttered as possible and also have a single > postgres instance shared by the other services. Basically, if any of the > public services in the jail are compromised I would like to make it very > hard for the attacker to see the internal network. > > If I use this scheme must I use separate public IPs for openvpn and the > services jail or is it possible to use a single IP or some NAT/PAT scheme? > -this box currently has 4 x NICs split into 2x lagg interfaces in failover > mode (one public, one private), if that makes any difference.... > > Sorry for the rambling question and I hope this makes sense! > > Matt. > Starting with FreeBSD 8 jails may have multiple IPs and can use sockets. AFAIK this makes a jail pretty much like a separate physical system in a functional sense. Between man jail and the handbook there is a clear explaination of the management and setup procedures. Hopefully those with a better understanding of the internals will weigh in with the liabilities for what you want to do.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1010141402280.86531>