Jails and loopback interfaces
Bigby Findrake
bigby at ephemeron.org
Tue Mar 7 10:00:35 PST 2006
I recently did something like this. I have a webserver in a jail that
needs to talk to a database, and the webserver is the only thing that
should talk to the databse.
My solution was to use 2 jails: one for the webserver, and another for the
database.
A jail can only bind to one IP. Presumably you want the webserver to be
able to talk out of the box, so having the webserver jail bind to a
loop-back address isn't really the way to go (without getting unnecessariy
complex with all sorts of NATing and forwarding firewall rules).
Jail 1:
* runs webserver
* binds to real interface with real, routable IP
Jail 2:
* runs database server
* binds to loopback interface, isn't directly reachable
from outside the box
As a further piece of advice, if you're using jails at all, you're
probably concerned with security. In case you are, you should always
consider firewalling the jail to make sure that it can't reach things that
you don't want it to. I usually implement a few stateful firewall rules
to make it so that the jail cannot initiate connections outward, because
if the jail is compromised, you (probably) want to make it so that it
cannot be used as a platform to launch further attacks.
For example:
ipfw add check-state
ipfw add allow tcp from any to $JAIL keep-state setup
ipfw add deny ip from any to $JAIL
ipfw add deny ip from $JAIL to any
Or, if you know that the only service you want to be available on the jail
is the web server, why allow any other access at all?
ipfw add check-state
ipfw add allow tcp from any to $JAIL 80 keep-state setup
ipfw add deny ip from any to $JAIL
ipfw add deny ip from $JAIL to any
You would, of course, have to modify these rules to accomodate your
database.
On Tue, 7 Mar 2006, Cyril Jaouich wrote:
> Hi,
>
> Running: Freebsd 6.0
>
> I am wondering if it is possible to have acces to loopback ip in a jail. I
> currently have a server running a jail. In the jail, there is a database and a
> web server. I would like to be able to have the database only bind on a
> loopback address and not on the jail's ip.
>
> Can this be done and how?
>
> Thanks
>
> -Cyril
>
>
>
>
>
>
> __________________________________________________________
> Lèche-vitrine ou lèche-écran ?
> magasinage.yahoo.ca
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
/-------------------------------------------------------------------------/
"I'm busy. What, you think these web-sites are gonna surf themselves???"
finger://bigby@ephemeron.org
http://www.ephemeron.org/~bigby/
irc://irc.ephemeron.org/#the_pub
/-------------------------------------------------------------------------/
More information about the freebsd-security
mailing list