jail design

wishmaster artemrts at ukr.net
Mon Jul 29 21:19:53 UTC 2013 


 --- Original message ---
From: "Ollivier Robert" <roberto at keltia.net>
Date: 29 July 2013, 16:44:11

 
> Hello,
> 
> I have a new server I'm going to run all my services on (www, smtp/imap, and so on).  Running 9.2-BETA1, full ZFS-on-root.
> 
> What is the best practices about jails knowing that:
> - I have only one IPv4
> - I have a full /48 IPv6 to play with
> 
> I've looked at ezjail which is doing most of what I need but it does not support ip4/ip6=inherit parameters (and no jail.conf support either) so my networking setup is more complicated. All the other packages like qjail have only limited ZFS support.

  ezjail is good tool, but not suitable for vnet, so from my experience:
 - I use slightly patched ezjail for create jail environment, update and so on. Also I have made 'newjail' suitable for login and network and have populated it with base packages like mc, perl and so on.
 - I use jail2 from ports as startup script which reads configs from jail.conf, not from rc.conf
 - I use vnet jails which communicate with world and each others via epair interface
 - as firewall - ipfw, disabled in each jails, but filter on each epair*a interface.  ipfw configured with per-interface acl.

> Do I need to setup pf to redirect all traffic in/out for specific ports to my jails? Or do I try to shoehorn "inherit" into ezjail?  Is inherit easier to deal with?  What are the security implications?
> 
> I need something as easy as ezjail or a way to tweek it, with
> - one jail for smtp/imap
> - one for www stuff, ideally one jail per hosted domain (using nginx)
  Use nginx in separate jail with virtual hosts. Why do you need vhost/jail?
> 
> I'm a jail newbie, in case you haven't found it already :)
> 
> Thanks,
> 
> -- 
> Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto at keltia.net
> In memoriam to Ondine, our 2nd child: http://ondine.keltia.net/
> 
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"

More information about the freebsd-jail mailing list