Jail question

[doug]

On Thu, 14 Oct 2010, Matthew Law wrote:

> I have a single box on which I would like to run openvpn, smtp (postfix,
> dspam, greylist, clamav), imap (dovecot) apache22 and bind.  This box also
> acts as a network gateway so it would give an attacker carte blanche to
> the internal nets if it was compromised, which makes me nervous.  The plan
> is to run openvpn as the only unjailed service and the rest of the
> services in a single jail or their own jails.
>
> I have never touched jails before and I'm a bit unsure of the best way to
> go.  I realise that I can jail a service or a copy of the whole system
> (service would be preferable for space efficiency) but I am unclear on how
> to deal with IP addresses in jailed environments and if I should create
> individual jails or a single jail for all services.  At the moment I am
> leaning toward a single system jail for everything so I can keep the space
> in which openvpn runs as uncluttered as possible and also have a single
> postgres instance shared by the other services.  Basically, if any of the
> public services in the jail are compromised I would like to make it very
> hard for the attacker to see the internal network.
>
> If I use this scheme must I use separate public IPs for openvpn and the
> services jail or is it possible to use a single IP or some NAT/PAT scheme?
> -this box currently has 4 x NICs split into 2x lagg interfaces in failover
> mode (one public, one private), if that makes any difference....
>
> Sorry for the rambling question and I hope this makes sense!
>
> Matt.
>

Starting with FreeBSD 8 jails may have multiple IPs and can use sockets. AFAIK 
this makes a jail pretty much like a separate physical system in a functional 
sense. Between man jail and the handbook there is a clear explaination of the 
management and setup procedures. Hopefully those with a better understanding of 
the internals will weigh in with the liabilities for what you want to do.