Date: Thu, 3 Dec 2015 18:45:16 -0800 From: Aleksandr Miroslav <alexmiroslav@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: best practice for locking down private jail? Message-ID: <CACcSE1zhMLnbo%2BbOixOM_ZLBpP%2BszbmzfFH_12v36ezy34fs9g@mail.gmail.com> In-Reply-To: <20151203073923.17dae0c41a2b5e29a5b3a3dd@sohara.org> References: <CACcSE1yQO8AjW9rpY%2Bd2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com> <20151203073923.17dae0c41a2b5e29a5b3a3dd@sohara.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 2, 2015 at 11:39 PM, Steve O'Hara-Smith <steve@sohara.org> wrote:
> I would set up two jails - one as the upload jail the other the web
> server and use a cron job on the host to move verified mp3 files
Excellent advice, I will do just that.
> don't use Apache, use a minimalist web server that can only serve
> static files (thttpd can be set up this way - there are others).
thttpd doesn't look like it's been updated in a while, but a bit of
Googling shows that lighttpd, nginx, and hiawatha are all small secure
web servers. Any recommendations from these?
> Finally I'd use pf to lock down the traffic so that nothing gets to
> the jails that shouldn't.
I only have redirects for both the web server jail and the file uploader jail
that look like this:
rdr pass on $EXT_NIC inet proto tcp from any to $PUBLIC_IP port =
$JAIL_UPLOADER_SSH_EXTERNAL_PORT -> $JAIL_UPLOADER_IP port
$JAIL_UPLOADER_SSH_PORT
rdr pass on $EXT_NIC inet proto tcp from any to $PUBLIC_IP port =
$JAIL_WEB_HTTP_EXTERNAL_PORT -> $JAIL_WEB_IP port
$JAIL_WEB_HTTP_PORT
And both jails are on private IPs that don't talk to each other or the
outside host/world. Is this sufficient or should I add blocks for these
private jails as well?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACcSE1zhMLnbo%2BbOixOM_ZLBpP%2BszbmzfFH_12v36ezy34fs9g>