Jail question

krad kraduk at gmail.com
Thu Oct 14 20:48:16 UTC 2010

On 14 October 2010 19:19, doug <doug at fledge.watson.org> wrote:

> On Thu, 14 Oct 2010, Matthew Law wrote:
>  I have a single box on which I would like to run openvpn, smtp (postfix,
>> dspam, greylist, clamav), imap (dovecot) apache22 and bind.  This box also
>> acts as a network gateway so it would give an attacker carte blanche to
>> the internal nets if it was compromised, which makes me nervous.  The plan
>> is to run openvpn as the only unjailed service and the rest of the
>> services in a single jail or their own jails.
>> I have never touched jails before and I'm a bit unsure of the best way to
>> go.  I realise that I can jail a service or a copy of the whole system
>> (service would be preferable for space efficiency) but I am unclear on how
>> to deal with IP addresses in jailed environments and if I should create
>> individual jails or a single jail for all services.  At the moment I am
>> leaning toward a single system jail for everything so I can keep the space
>> in which openvpn runs as uncluttered as possible and also have a single
>> postgres instance shared by the other services.  Basically, if any of the
>> public services in the jail are compromised I would like to make it very
>> hard for the attacker to see the internal network.
>> If I use this scheme must I use separate public IPs for openvpn and the
>> services jail or is it possible to use a single IP or some NAT/PAT scheme?
>> -this box currently has 4 x NICs split into 2x lagg interfaces in failover
>> mode (one public, one private), if that makes any difference....
>> Sorry for the rambling question and I hope this makes sense!
>> Matt.
> Starting with FreeBSD 8 jails may have multiple IPs and can use sockets.
> AFAIK this makes a jail pretty much like a separate physical system in a
> functional sense. Between man jail and the handbook there is a clear
> explaination of the management and setup procedures. Hopefully those with a
> better understanding of the internals will weigh in with the liabilities for
> what you want to do.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"o

how ever you decide to do it have a look a qjail, as its a good managment
tool especially if you have multiple jails

More information about the freebsd-questions mailing list