Date: Wed, 11 Aug 2010 21:18:09 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: David Allen <the.real.david.allen@gmail.com> Cc: Fbsd8 <fbsd8@a1poweruser.com>, Brice ERRANDONEA <berrandonea@yahoo.fr>, freebsd-questions@freebsd.org, "Randal L. Schwartz" <merlyn@stonehenge.com> Subject: Re: How to connect a jail to the web ? Message-ID: <4C630581.4000908@infracaninophile.co.uk> In-Reply-To: <AANLkTi=k_t0iFoL4M1KyRKmc8OzQ9501tVLH=T5eqdyC@mail.gmail.com> References: <268321.67123.qm@web24608.mail.ird.yahoo.com> <4C61E8B1.7050605@a1poweruser.com> <86mxsuynm0.fsf@red.stonehenge.com> <4C625468.8010805@infracaninophile.co.uk> <86aaotxopm.fsf@red.stonehenge.com> <4C62AAA3.7090708@infracaninophile.co.uk> <AANLkTi=k_t0iFoL4M1KyRKmc8OzQ9501tVLH=T5eqdyC@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig7EC5F845E67F251B01902C52 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/08/2010 15:10:06, David Allen wrote: >> I meant that you could block access to private servers which need to >> listen on public network ports by just using firewall rules, as oppose= d >> to making the whole jail hang off a private interface and just >> forwarding selected traffic to it. >> >> For the second case, you would need pf to do the NAT'ing (or ipfw+natd= >> if that's your preference). With this trick of binding the sensitive >> daemons to an address on the loopback, you are still secure even if pf= >> gets turned off. Of course, "secure" is not necessarily the same as >> "working." >=20 > I've read comments in the past about setting up jails using local > loopback addresses, but I'm wondering if you wouldn't mind elaborating > on what the actual pf rules would look like. >=20 > Say you have 3 jails and more than one public IP address: >=20 > ns 127.0.0.2 public_ip_1 > mail 127.0.0.3 public_ip_2 > www 127.0.0.4 public_ip_3 >=20 > You want to pass port 25 traffic to/from the 'mail' jail. But you also= > need that jail to use the correct public_ip address. Is that possible > without using, for example, pf's binat? >=20 > Thanks. Sure. In the best Blue Peter tradition[*], here's one I prepared earlier= : http://lists.freebsd.org/pipermail/freebsd-questions/2008-March/171748.ht= ml While that talks about redirecting a couple of TCP and one UDP service into a single jailed host, I think it's pretty clear how to get from there to having several different jails each with running a different service. Cheers, Matthew [*] It's a British thing. You have to have been bought up here to understand. --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig7EC5F845E67F251B01902C52 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxjBYwACgkQ8Mjk52CukIztkACgg46DFw1ZFrhqYUFu4ykTFeBm ePEAn3JMJdbvSerb7/QqDxGEd1/qX8Iy =Jbcu -----END PGP SIGNATURE----- --------------enig7EC5F845E67F251B01902C52--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C630581.4000908>