jails, ipfilter & stunnel
Uwe Doering
gemini at geminix.org
Sat Jul 12 23:56:23 PDT 2003
V. Jones wrote:
> I'm setting up a server where I plan to use Jails to improve security
> I also have installed and am configuring ipfilter. Here are my
> questions:
>
> Because I'm using Jails, I will have to have multiple ip aliases on the
> network interface. I will use ipfilter to specify what can go to each
> of the addresses. (e.g., allow only incoming to port 80 on the jail
> running apache).
You don't have to have multiple IP aliases for multiple jails. Or at
least there is no technical necessity for this (in FreeBSD 4.x, that is,
don't kown about 5.x). If it's just about running server processes in
their own jail (no port number conflicts) you can have all jails on the
same IP address and do the IP filtering (if necessary at all in this
scenario) based on port numbers.
> Another jailed server will run mail services (pop, smtp, imap). If
> I want to allow users to use web based email(over ssl of course), the
> web server will have to communicate with the mail server. Is there
> a chance of "information leakage" in this type of setup?
Only the information you transmit will leak. That is, you define the
information interchange between the jails, so pondering over the
consequences is on your plate, too. Just assume that each jail has been
broken into by an intruder with evil intentions and ask yourself what
damage he can do with the data he can gather from the other jails.
Paranoia in action, as it were. ;-)
> Finally, I'd like to use SSL to offer secure web connections & secure email
> without having to buy two certificates. Am I getting too cute if I accept
> ssl connections on one ip address and use stunnel to route them to the
> appropriate jailed server?
In case of all jails on one IP address this problem goes away, too. You
could define a generic domain name for the SSL stuff, for instance
'secure.domain.tld', get a certificate for that and use it for web as
well as email and other purposes.
Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
gemini at geminix.org | http://www.escapebox.net
More information about the freebsd-security
mailing list