jails, ipfilter & stunnel

Uwe Doering gemini at geminix.org
Mon Jul 14 02:45:06 PDT 2003 

V. Jones wrote:
>>You don't have to have multiple IP aliases for multiple jails.  Or at
>>least there is no technical necessity for this (in FreeBSD 4.x, that is,
>>don't kown about 5.x).  If it's just about running server processes in
>>their own jail (no port number conflicts) you can have all jails on the
>>same IP address and do the IP filtering (if necessary at all in this
>>scenario) based on port numbers.
> 
> Okay, I didn't realize I could run more than one jail on one ip address.  I guess if I needed ssh on each jailed server I could just make sure the port number is unique.

True, sshd would cause a port conflict.  Since you cannot inject 
processes into already running jails in FreeBSD 4.x you better have an 
sshd in each of them.  I agree that different port numbers would be the 
way to go here.

>>>Finally, I'd like to use SSL to offer secure web connections & secure
>>
>>email
>>
>>>without having to buy two certificates.  Am I getting too cute if I
>>
>>accept
>>
>>>ssl connections on  one ip address and use stunnel to route them to
> 
> the
> 
>>>appropriate jailed server?
>>
>>In case of all jails on one IP address this problem goes away, too.  You
>>could define a generic domain name for the SSL stuff, for instance
>>'secure.domain.tld', get a certificate for that and use it for web as
>>well as email and other purposes.
>>
>>    Uwe
>>
> 
> This counfuses me - doesn't the host name have to match the certificate?  Can two jails have the same host name too?

Two jails can have the same name.  With

   sysctl jail.set_hostname_allowed=[01]

you can even configure whether you can set the host names from the 
inside, to whatever you want.

Apart from this, a server's host name isn't really important for most 
services and daemons.  You can usually set the names under which they 
are supposed to operate in their respective config files.  This is 
certainly true for Apache, while POP3/IMAP4 daemons usually don't care 
about the host name they get contacted with.  There it is just important 
that you use 'secure.domain.tld' on the client side, in order to match 
the certificate's domain name.  And for SMTP you can point the DNS MX 
records to 'secure.domain.tld'.  All this has nothing to do with the 
host name used for the respective jail.

Hope this wasn't too confusing.

    Uwe
-- 
Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
gemini at geminix.org  |  http://www.escapebox.net

More information about the freebsd-security mailing list