A few jail questions

Matthew Seaman m.seaman at infracaninophile.co.uk
Sun Mar 23 00:23:56 PDT 2008

David Allen wrote:
> I've recently been examining the use of jails in FreeBSD, and I have some
> questions I hope someone can shed some light on with respect to running
> virtual servers in jails.
> 1. Upgrading.  This probably a "It Depends" question, but if a host system
> is upgraded (within version numbers), will the new kernel and world on the
> host system cause potential problems with existing jails when they are
> restarted?  Or do the jails need to be rebuilt before they are started?

In general, no.  It is quite possible to host a jail running effectively a
different version of FreeBSD than the base machine -- a technique that is used
extensively in the ports build cluster.  The emulation is not perfect, and
of course the kernel that is used is the one from the base system, but it's
fine for most purposes.

If it's just a case of slight lag between updating the base system and the
jails, then I wouldn't worry about it.

> 2. Localhost.  Jails seem to be implemented using IP address aliasing, so
> anything within the jail that wants to, or is configured to, bind to the
> localhost address, now gets bound to the jail's IP address.  This means
> that what was once local, is now publically available.  Will running a
> firewall on the host system work in such cases?

Yes, a firewall is a good idea.  One very effective method to secure a jail
is to create the jail bound to the *loopback* interface of the main host, and
then use firewall redirect rules to send the wanted traffic to the jail's 
IP.  eg. using pf:

jail_int = ""
jail_ext = ""


nat on $ext_if proto { tcp udp }              \
     from $jail_int                           \
     to !$jail_int -> $jail_ext static-port
rdr on $ext_if proto tcp                      \
     from any                                 \
     to $jail_ext port { 22 80 } -> $jail_int
rdr on $ext_if proto udp                      \
     from any                                 \
     to $jail_ext port 53 -> $jail_int

So in this case on tcp traffic to ports 22 nd 80 or udp traffic to port 53
is redirected into the jail.

Variations on this technique are about the only way to effectively give a
jail more than one IP.

> 3. Sendmail.  The usual approach of setting "sendmail_enable=NO" (or using
> DAEMON_OPTIONS) won't prevent sendmail running in a jail from starting up
> and listening for incoming mail from external hosts.  Short of disabling
> sendmail entirely, I'm wondering what approach most people use as a
> workaround.

Fixed by the bind-jail-to-loopback trick above.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080323/9e372ca8/signature.pgp

More information about the freebsd-questions mailing list