jail design
Ollivier Robert
roberto at keltia.net
Mon Jul 29 13:44:02 UTC 2013
Hello,
I have a new server I'm going to run all my services on (www, smtp/imap, and so on). Running 9.2-BETA1, full ZFS-on-root.
What is the best practices about jails knowing that:
- I have only one IPv4
- I have a full /48 IPv6 to play with
I've looked at ezjail which is doing most of what I need but it does not support ip4/ip6=inherit parameters (and no jail.conf support either) so my networking setup is more complicated. All the other packages like qjail have only limited ZFS support.
Do I need to setup pf to redirect all traffic in/out for specific ports to my jails? Or do I try to shoehorn "inherit" into ezjail? Is inherit easier to deal with? What are the security implications?
I need something as easy as ezjail or a way to tweek it, with
- one jail for smtp/imap
- one for www stuff, ideally one jail per hosted domain (using nginx)
I'm a jail newbie, in case you haven't found it already :)
Thanks,
--
Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto at keltia.net
In memoriam to Ondine, our 2nd child: http://ondine.keltia.net/
More information about the freebsd-jail
mailing list