From owner-freebsd-questions@FreeBSD.ORG Fri Oct 15 12:52:48 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E80A4106566B for ; Fri, 15 Oct 2010 12:52:47 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id D20508FC15 for ; Fri, 15 Oct 2010 12:52:47 +0000 (UTC) Received: from [192.168.1.64] ([76.240.47.196]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 15 Oct 2010 05:35:47 -0700 Message-ID: <4CB84A9B.7080605@a1poweruser.com> Date: Fri, 15 Oct 2010 08:35:39 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: matt@webcontracts.co.uk References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 15 Oct 2010 12:35:47.0584 (UTC) FILETIME=[7E407000:01CB6C65] X-Sender: fbsd8@a1poweruser.com Cc: freebsd-questions@freebsd.org Subject: Re: Jail question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Oct 2010 12:52:48 -0000 Matthew Law wrote: > I have a single box on which I would like to run openvpn, smtp (postfix, > dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also > acts as a network gateway so it would give an attacker carte blanche to > the internal nets if it was compromised, which makes me nervous. The plan > is to run openvpn as the only unjailed service and the rest of the > services in a single jail or their own jails. > > I have never touched jails before and I'm a bit unsure of the best way to > go. I realise that I can jail a service or a copy of the whole system > (service would be preferable for space efficiency) but I am unclear on how > to deal with IP addresses in jailed environments and if I should create > individual jails or a single jail for all services. At the moment I am > leaning toward a single system jail for everything so I can keep the space > in which openvpn runs as uncluttered as possible and also have a single > postgres instance shared by the other services. Basically, if any of the > public services in the jail are compromised I would like to make it very > hard for the attacker to see the internal network. > > If I use this scheme must I use separate public IPs for openvpn and the > services jail or is it possible to use a single IP or some NAT/PAT scheme? > -this box currently has 4 x NICs split into 2x lagg interfaces in failover > mode (one public, one private), if that makes any difference.... > > Sorry for the rambling question and I hope this makes sense! > > Matt. > Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/