From owner-freebsd-questions@FreeBSD.ORG Wed Aug 11 07:42:50 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16151106566B for ; Wed, 11 Aug 2010 07:42:50 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 7144D8FC0A for ; Wed, 11 Aug 2010 07:42:49 +0000 (UTC) Received: from russet.local (reflex.squiz.co.uk [83.217.109.164]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o7B7gfDR064010 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 11 Aug 2010 08:42:43 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host reflex.squiz.co.uk [83.217.109.164] claimed to be russet.local Message-ID: <4C625468.8010805@infracaninophile.co.uk> Date: Wed, 11 Aug 2010 08:42:32 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2 MIME-Version: 1.0 To: "Randal L. Schwartz" References: <268321.67123.qm@web24608.mail.ird.yahoo.com> <4C61E8B1.7050605@a1poweruser.com> <86mxsuynm0.fsf@red.stonehenge.com> In-Reply-To: <86mxsuynm0.fsf@red.stonehenge.com> X-Enigmail-Version: 1.1.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF29B285B69DB1F0750D008EE" X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_50,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: Fbsd8 , Brice ERRANDONEA , freebsd-questions@freebsd.org Subject: Re: How to connect a jail to the web ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2010 07:42:50 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF29B285B69DB1F0750D008EE Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 11/08/2010 01:55, Randal L. Schwartz wrote: >>>>>> "Fbsd8" =3D=3D Fbsd8 writes: >=20 > Fbsd8> 2. Using the hosts firewall to drive traffic to a jail is a sign= > Fbsd8> you have your jail incorrectly configured or do not understand > Fbsd8> how jails are intended to work. >=20 > OK, I'll bite. I thought this was the only way to do this. Can you > elaborate? I'll even accept URL pointers to go read. :) >=20 Fbsd8's contention is ... contentious. Giving your jail an IP on the loopback i/f, and then using NAT to redirect traffic for certain selected ports lets you run services in the jail that need to bind to some network address but that you never want exposed to the Internet. Remember, unless you're using VIMAGE, jails don't have a loopback i/f of their own. VIMAGE is cool, but as it's still incompatible with various other kernel bits, I don't think it's quite ready for primetime yet. Yes, you can achieve the same effect using firewall rules, but as I have occasionally said before, firewalls should be optional -- ideally your system should be secure even if you turn the firewall off. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigF29B285B69DB1F0750D008EE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxiVG4ACgkQ8Mjk52CukIxWzgCcDSXNMndPF7iBSJ5nXYv5It8A nJoAnjdNMq312Za1WrfHPJlznbxkPIPO =V9pp -----END PGP SIGNATURE----- --------------enigF29B285B69DB1F0750D008EE--