From owner-freebsd-questions@FreeBSD.ORG Wed Aug 11 13:50:46 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A77551065676 for ; Wed, 11 Aug 2010 13:50:46 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 0D06A8FC17 for ; Wed, 11 Aug 2010 13:50:45 +0000 (UTC) Received: from russet.local (reflex.squiz.co.uk [83.217.109.164]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o7BDoWe0080550 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 11 Aug 2010 14:50:38 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host reflex.squiz.co.uk [83.217.109.164] claimed to be russet.local Message-ID: <4C62AAA3.7090708@infracaninophile.co.uk> Date: Wed, 11 Aug 2010 14:50:27 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2 MIME-Version: 1.0 To: "Randal L. Schwartz" References: <268321.67123.qm@web24608.mail.ird.yahoo.com> <4C61E8B1.7050605@a1poweruser.com> <86mxsuynm0.fsf@red.stonehenge.com> <4C625468.8010805@infracaninophile.co.uk> <86aaotxopm.fsf@red.stonehenge.com> In-Reply-To: <86aaotxopm.fsf@red.stonehenge.com> X-Enigmail-Version: 1.1.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigD896B1DF05B3E242288296AB" X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_50,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: Fbsd8 , Brice ERRANDONEA , freebsd-questions@freebsd.org Subject: Re: How to connect a jail to the web ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2010 13:50:46 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD896B1DF05B3E242288296AB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 11/08/2010 14:29, Randal L. Schwartz wrote: >>>>>> "Matthew" =3D=3D Matthew Seaman = writes: >=20 > Matthew> Yes, you can achieve the same effect using firewall rules, but= > Matthew> as I have occasionally said before, firewalls should be > Matthew> optional -- ideally your system should be secure even if you > Matthew> turn the firewall off. >=20 > Well, I already have pf fired up to deal with web and ssh rate limiting= , > so firing up a natd seems a bit redundant. >=20 I meant that you could block access to private servers which need to listen on public network ports by just using firewall rules, as opposed to making the whole jail hang off a private interface and just forwarding selected traffic to it. For the second case, you would need pf to do the NAT'ing (or ipfw+natd if that's your preference). With this trick of binding the sensitive daemons to an address on the loopback, you are still secure even if pf gets turned off. Of course, "secure" is not necessarily the same as "working." Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigD896B1DF05B3E242288296AB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxiqqgACgkQ8Mjk52CukIxB9QCggVGWtaIAhudYUNHpuFQ328+x X4kAn0tVzKVVxPij70R7ExWJJ0K2PGXA =DlJ4 -----END PGP SIGNATURE----- --------------enigD896B1DF05B3E242288296AB--