Date: Wed, 11 Aug 2010 14:50:27 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: "Randal L. Schwartz" <merlyn@stonehenge.com> Cc: Fbsd8 <fbsd8@a1poweruser.com>, Brice ERRANDONEA <berrandonea@yahoo.fr>, freebsd-questions@freebsd.org Subject: Re: How to connect a jail to the web ? Message-ID: <4C62AAA3.7090708@infracaninophile.co.uk> In-Reply-To: <86aaotxopm.fsf@red.stonehenge.com> References: <268321.67123.qm@web24608.mail.ird.yahoo.com> <4C61E8B1.7050605@a1poweruser.com> <86mxsuynm0.fsf@red.stonehenge.com> <4C625468.8010805@infracaninophile.co.uk> <86aaotxopm.fsf@red.stonehenge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigD896B1DF05B3E242288296AB
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 11/08/2010 14:29, Randal L. Schwartz wrote:
>>>>>> "Matthew" =3D=3D Matthew Seaman <m.seaman@infracaninophile.co.uk> =
writes:
>=20
> Matthew> Yes, you can achieve the same effect using firewall rules, but=
> Matthew> as I have occasionally said before, firewalls should be
> Matthew> optional -- ideally your system should be secure even if you
> Matthew> turn the firewall off.
>=20
> Well, I already have pf fired up to deal with web and ssh rate limiting=
,
> so firing up a natd seems a bit redundant.
>=20
I meant that you could block access to private servers which need to
listen on public network ports by just using firewall rules, as opposed
to making the whole jail hang off a private interface and just
forwarding selected traffic to it.
For the second case, you would need pf to do the NAT'ing (or ipfw+natd
if that's your preference). With this trick of binding the sensitive
daemons to an address on the loopback, you are still secure even if pf
gets turned off. Of course, "secure" is not necessarily the same as
"working."
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------enigD896B1DF05B3E242288296AB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxiqqgACgkQ8Mjk52CukIxB9QCggVGWtaIAhudYUNHpuFQ328+x
X4kAn0tVzKVVxPij70R7ExWJJ0K2PGXA
=DlJ4
-----END PGP SIGNATURE-----
--------------enigD896B1DF05B3E242288296AB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C62AAA3.7090708>