Date: Thu, 14 Oct 2010 21:48:08 +0100 From: krad <kraduk@gmail.com> To: doug@safeport.com Cc: Matthew Law <matt@webcontracts.co.uk>, freebsd-questions@freebsd.org Subject: Re: Jail question Message-ID: <AANLkTi=XkhH38-T03QWpCZO33Xq76C5vZLGnhLKssayG@mail.gmail.com> In-Reply-To: <alpine.BSF.2.00.1010141402280.86531@fledge.watson.org> References: <a326819258145be7f52702ca68402e23.squirrel@www.webcontracts.co.uk> <alpine.BSF.2.00.1010141402280.86531@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14 October 2010 19:19, doug <doug@fledge.watson.org> wrote: > On Thu, 14 Oct 2010, Matthew Law wrote: > > I have a single box on which I would like to run openvpn, smtp (postfix, >> dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also >> acts as a network gateway so it would give an attacker carte blanche to >> the internal nets if it was compromised, which makes me nervous. The plan >> is to run openvpn as the only unjailed service and the rest of the >> services in a single jail or their own jails. >> >> I have never touched jails before and I'm a bit unsure of the best way to >> go. I realise that I can jail a service or a copy of the whole system >> (service would be preferable for space efficiency) but I am unclear on how >> to deal with IP addresses in jailed environments and if I should create >> individual jails or a single jail for all services. At the moment I am >> leaning toward a single system jail for everything so I can keep the space >> in which openvpn runs as uncluttered as possible and also have a single >> postgres instance shared by the other services. Basically, if any of the >> public services in the jail are compromised I would like to make it very >> hard for the attacker to see the internal network. >> >> If I use this scheme must I use separate public IPs for openvpn and the >> services jail or is it possible to use a single IP or some NAT/PAT scheme? >> -this box currently has 4 x NICs split into 2x lagg interfaces in failover >> mode (one public, one private), if that makes any difference.... >> >> Sorry for the rambling question and I hope this makes sense! >> >> Matt. >> >> > Starting with FreeBSD 8 jails may have multiple IPs and can use sockets. > AFAIK this makes a jail pretty much like a separate physical system in a > functional sense. Between man jail and the handbook there is a clear > explaination of the management and setup procedures. Hopefully those with a > better understanding of the internals will weigh in with the liabilities for > what you want to do. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org"o > how ever you decide to do it have a look a qjail, as its a good managment tool especially if you have multiple jails
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=XkhH38-T03QWpCZO33Xq76C5vZLGnhLKssayG>