jails, ipfilter & stunnel

V. Jones vjones62 at earthlink.net
Mon Jul 14 07:16:24 PDT 2003 

> >>You don't have to have multiple IP aliases for multiple jails.  Or at
> >>least there is no technical necessity for this (in FreeBSD 4.x, that
is,
> >>don't kown about 5.x).  If it's just about running server processes in
> >>their own jail (no port number conflicts) you can have all jails on
the
> >>same IP address and do the IP filtering (if necessary at all in this
> >>scenario) based on port numbers.
> >
> > Okay, I didn't realize I could run more than one jail on one ip
address.
>  I guess if I needed ssh on each jailed server I could just make sure
the
> port number is unique.
>
> True, sshd would cause a port conflict.  Since you cannot inject
> processes into already running jails in FreeBSD 4.x you better have an
> sshd in each of them.  I agree that different port numbers would be the
> way to go here.
>
> >>>Finally, I'd like to use SSL to offer secure web connections & secure
> >>
> >>email
> >>
> >>>without having to buy two certificates.  Am I getting too cute if I
> >>
> >>accept
> >>
> >>>ssl connections on  one ip address and use stunnel to route them to
> >
> > the
> >
> >>>appropriate jailed server?
> >>
> >>In case of all jails on one IP address this problem goes away, too. 
You
> >>could define a generic domain name for the SSL stuff, for instance
> >>'secure.domain.tld', get a certificate for that and use it for web as
> >>well as email and other purposes.
> >>
> >>    Uwe
> >>
> >
> > This counfuses me - doesn't the host name have to match the
certificate?
>  Can two jails have the same host name too?
>
> Two jails can have the same name.  With
>
>    sysctl jail.set_hostname_allowed=[01]
>
> you can even configure whether you can set the host names from the
> inside, to whatever you want.
>
> Apart from this, a server's host name isn't really important for most
> services and daemons.  You can usually set the names under which they
> are supposed to operate in their respective config files.  This is
> certainly true for Apache, while POP3/IMAP4 daemons usually don't care
> about the host name they get contacted with.  There it is just important
> that you use 'secure.domain.tld' on the client side, in order to match
> the certificate's domain name.  And for SMTP you can point the DNS MX
> records to 'secure.domain.tld'.  All this has nothing to do with the
> host name used for the respective jail.
>
> Hope this wasn't too confusing.
>
>     Uwe
>

Okay, thanks.  I'll have to do some experimenting and see how it works.

More information about the freebsd-security mailing list