Jails and loopback interfaces

Bigby Findrake bigby at ephemeron.org
Tue Mar 7 10:00:35 PST 2006 

I recently did something like this.  I have a webserver in a jail that 
needs to talk to a database, and the webserver is the only thing that 
should talk to the databse.

My solution was to use 2 jails: one for the webserver, and another for the 
database.

A jail can only bind to one IP. Presumably you want the webserver to be 
able to talk out of the box, so having the webserver jail bind to a 
loop-back address isn't really the way to go (without getting unnecessariy 
complex with all sorts of NATing and forwarding firewall rules).

Jail 1:
 	* runs webserver
 	* binds to real interface with real, routable IP

Jail 2:
 	* runs database server
 	* binds to loopback interface, isn't directly reachable
 	  from outside the box

As a further piece of advice, if you're using jails at all, you're 
probably concerned with security.  In case you are, you should always 
consider firewalling the jail to make sure that it can't reach things that 
you don't want it to.  I usually implement a few stateful firewall rules 
to make it so that the jail cannot initiate connections outward, because 
if the jail is compromised, you (probably) want to make it so that it 
cannot be used as a platform to launch further attacks.

For example:

ipfw add check-state
ipfw add allow tcp from any to $JAIL keep-state setup
ipfw add deny ip from any to $JAIL
ipfw add deny ip from $JAIL to any

Or, if you know that the only service you want to be available on the jail 
is the web server, why allow any other access at all?

ipfw add check-state
ipfw add allow tcp from any to $JAIL 80 keep-state setup
ipfw add deny ip from any to $JAIL
ipfw add deny ip from $JAIL to any

You would, of course, have to modify these rules to accomodate your 
database.

On Tue, 7 Mar 2006, Cyril Jaouich wrote:

> Hi,
>
> Running: Freebsd 6.0
>
>  I am wondering if it is possible to have acces to loopback ip in a jail. I
> currently have a server running a jail. In the jail, there is a database and a
> web server. I would like to be able to have the database only bind on a
> loopback address and not on the jail's ip.
>
>  Can this be done and how?
>
>  Thanks
>
> -Cyril
>
>
>
>
>
>
> __________________________________________________________
> Lèche-vitrine ou lèche-écran ?
> magasinage.yahoo.ca
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>


/-------------------------------------------------------------------------/
"I'm busy.  What, you think these web-sites are gonna surf themselves???"

                    finger://bigby@ephemeron.org
                   http://www.ephemeron.org/~bigby/
                   irc://irc.ephemeron.org/#the_pub
/-------------------------------------------------------------------------/

More information about the freebsd-security mailing list