kraduk at gmail.com
Thu Oct 14 20:48:16 UTC 2010
On 14 October 2010 19:19, doug <doug at fledge.watson.org> wrote:
> On Thu, 14 Oct 2010, Matthew Law wrote:
> I have a single box on which I would like to run openvpn, smtp (postfix,
>> dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also
>> acts as a network gateway so it would give an attacker carte blanche to
>> the internal nets if it was compromised, which makes me nervous. The plan
>> is to run openvpn as the only unjailed service and the rest of the
>> services in a single jail or their own jails.
>> I have never touched jails before and I'm a bit unsure of the best way to
>> go. I realise that I can jail a service or a copy of the whole system
>> (service would be preferable for space efficiency) but I am unclear on how
>> to deal with IP addresses in jailed environments and if I should create
>> individual jails or a single jail for all services. At the moment I am
>> leaning toward a single system jail for everything so I can keep the space
>> in which openvpn runs as uncluttered as possible and also have a single
>> postgres instance shared by the other services. Basically, if any of the
>> public services in the jail are compromised I would like to make it very
>> hard for the attacker to see the internal network.
>> If I use this scheme must I use separate public IPs for openvpn and the
>> services jail or is it possible to use a single IP or some NAT/PAT scheme?
>> -this box currently has 4 x NICs split into 2x lagg interfaces in failover
>> mode (one public, one private), if that makes any difference....
>> Sorry for the rambling question and I hope this makes sense!
> Starting with FreeBSD 8 jails may have multiple IPs and can use sockets.
> AFAIK this makes a jail pretty much like a separate physical system in a
> functional sense. Between man jail and the handbook there is a clear
> explaination of the management and setup procedures. Hopefully those with a
> better understanding of the internals will weigh in with the liabilities for
> what you want to do.
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"o
how ever you decide to do it have a look a qjail, as its a good managment
tool especially if you have multiple jails
More information about the freebsd-questions