From owner-freebsd-questions@FreeBSD.ORG Thu Oct 14 18:19:53 2010 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8B471065673 for ; Thu, 14 Oct 2010 18:19:53 +0000 (UTC) (envelope-from doug@fledge.watson.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by mx1.freebsd.org (Postfix) with ESMTP id 8B5098FC0C for ; Thu, 14 Oct 2010 18:19:53 +0000 (UTC) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id o9EIJqZp014243; Thu, 14 Oct 2010 14:19:52 -0400 (EDT) (envelope-from doug@fledge.watson.org) Received: from localhost (doug@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id o9EIJp7j014239; Thu, 14 Oct 2010 14:19:52 -0400 (EDT) (envelope-from doug@fledge.watson.org) Date: Thu, 14 Oct 2010 14:19:51 -0400 (EDT) From: doug To: Matthew Law In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Thu, 14 Oct 2010 14:19:52 -0400 (EDT) Cc: freebsd-questions@FreeBSD.org Subject: Re: Jail question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: doug@safeport.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Oct 2010 18:19:54 -0000 On Thu, 14 Oct 2010, Matthew Law wrote: > I have a single box on which I would like to run openvpn, smtp (postfix, > dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also > acts as a network gateway so it would give an attacker carte blanche to > the internal nets if it was compromised, which makes me nervous. The plan > is to run openvpn as the only unjailed service and the rest of the > services in a single jail or their own jails. > > I have never touched jails before and I'm a bit unsure of the best way to > go. I realise that I can jail a service or a copy of the whole system > (service would be preferable for space efficiency) but I am unclear on how > to deal with IP addresses in jailed environments and if I should create > individual jails or a single jail for all services. At the moment I am > leaning toward a single system jail for everything so I can keep the space > in which openvpn runs as uncluttered as possible and also have a single > postgres instance shared by the other services. Basically, if any of the > public services in the jail are compromised I would like to make it very > hard for the attacker to see the internal network. > > If I use this scheme must I use separate public IPs for openvpn and the > services jail or is it possible to use a single IP or some NAT/PAT scheme? > -this box currently has 4 x NICs split into 2x lagg interfaces in failover > mode (one public, one private), if that makes any difference.... > > Sorry for the rambling question and I hope this makes sense! > > Matt. > Starting with FreeBSD 8 jails may have multiple IPs and can use sockets. AFAIK this makes a jail pretty much like a separate physical system in a functional sense. Between man jail and the handbook there is a clear explaination of the management and setup procedures. Hopefully those with a better understanding of the internals will weigh in with the liabilities for what you want to do.