From owner-freebsd-questions@FreeBSD.ORG Thu Oct 14 20:48:16 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ABC461065674 for ; Thu, 14 Oct 2010 20:48:16 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 4023E8FC3E for ; Thu, 14 Oct 2010 20:48:15 +0000 (UTC) Received: by qyk30 with SMTP id 30so95917qyk.13 for ; Thu, 14 Oct 2010 13:48:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=ucksJZmXElvyuyQTiTYdETKP854f/wBxllneD5eHfSU=; b=nlB0nIw58HTrkzvPjtdHUNySdgHq8efECWKPQhjnNlmAjjh0aZIuQl0rc+EEeWNGFd oWwCdYwMHg/Goqyv5iSvdVhcGI+Y/TukekOm15oBWCond9GoWkonEES4BDKhKAtHOaRR cNiMYW6vF/ZRqas11osD+vNlb0r8j3UCWHJiI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=nRiZQqQRK433OiD9lZWlNxqBQxBI9+3iHfOlr6AXV+3iVb+H74AUIIlKMrjGhEEdSH kDvSnOqjq7MQSzcU1NLjg6KKXloH2IMEPENw99FlbXeOTi9xaJqehvFGPv1nG+o16o2u osFzctlOa/DBuXHB+JsWQPZgWWeqEOyGuhll4= MIME-Version: 1.0 Received: by 10.224.3.21 with SMTP id 21mr2985849qal.346.1287089288233; Thu, 14 Oct 2010 13:48:08 -0700 (PDT) Received: by 10.229.215.209 with HTTP; Thu, 14 Oct 2010 13:48:08 -0700 (PDT) In-Reply-To: References: Date: Thu, 14 Oct 2010 21:48:08 +0100 Message-ID: From: krad To: doug@safeport.com Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Matthew Law , freebsd-questions@freebsd.org Subject: Re: Jail question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Oct 2010 20:48:16 -0000 On 14 October 2010 19:19, doug wrote: > On Thu, 14 Oct 2010, Matthew Law wrote: > > I have a single box on which I would like to run openvpn, smtp (postfix, >> dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also >> acts as a network gateway so it would give an attacker carte blanche to >> the internal nets if it was compromised, which makes me nervous. The plan >> is to run openvpn as the only unjailed service and the rest of the >> services in a single jail or their own jails. >> >> I have never touched jails before and I'm a bit unsure of the best way to >> go. I realise that I can jail a service or a copy of the whole system >> (service would be preferable for space efficiency) but I am unclear on how >> to deal with IP addresses in jailed environments and if I should create >> individual jails or a single jail for all services. At the moment I am >> leaning toward a single system jail for everything so I can keep the space >> in which openvpn runs as uncluttered as possible and also have a single >> postgres instance shared by the other services. Basically, if any of the >> public services in the jail are compromised I would like to make it very >> hard for the attacker to see the internal network. >> >> If I use this scheme must I use separate public IPs for openvpn and the >> services jail or is it possible to use a single IP or some NAT/PAT scheme? >> -this box currently has 4 x NICs split into 2x lagg interfaces in failover >> mode (one public, one private), if that makes any difference.... >> >> Sorry for the rambling question and I hope this makes sense! >> >> Matt. >> >> > Starting with FreeBSD 8 jails may have multiple IPs and can use sockets. > AFAIK this makes a jail pretty much like a separate physical system in a > functional sense. Between man jail and the handbook there is a clear > explaination of the management and setup procedures. Hopefully those with a > better understanding of the internals will weigh in with the liabilities for > what you want to do. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org"o > how ever you decide to do it have a look a qjail, as its a good managment tool especially if you have multiple jails