freebsd jail: web and database server config questions

Jasvinder S. Bahra bbdl21548 at
Tue Oct 13 18:28:58 UTC 2009

I'm no expert but i'll give this a go.

> Is it advisable/wise/okay/clever to run a webserver on my host 
> system and a database server on my jailed system? The webserver 
> will need to connect to the database system on startup and 
> update the database based on client access.

A key concept in securing a system is defence in depth.

Personally, I would setup two jails on the system and run the 
database in one jail and the webserver in the other.  That way, 
if one of the two became compromised, the intruder would still 
have to do some work to get system root access.

> However, if a machine gets compromised, it would rather be the 
> webserver, therefore running the webserver in the jailed 
> environment seems better to me. But how could that be done, if 
> the webserver requires to connect through tcp/ip to the 
> database server running on the host system? I thought that a 
> key-feature of a jailed system is that it can't access 
> resources outside the jail. 

Your correct that a jail is almost entirely self-contained, but 
no more so than a standalone system - and a standalone system can 
still communicate with other systems using network communications.

In (exactly) the same way, a process in one jail can still 
communicate with a process in another jail.  

For example, say you were using MySQL and Apache Webserver.  If 
the two processes were running on two different systems, they can 
communicate with each other via a network connection on port 3306.

As a jailed system is a virtual-standalone system, each of them 
would have a virtual-network card, and so two seperate IP addresses.  
Thus, the two processes could communicate with each other in 
exactly the same way as the two actually-standalone systems.

> And how do I go around when I need to update my host system due 
> to a security advisory. I heard the jailed environment will not 
> be affected? So basically that means I would need to create a 
> new jail everytime I recompile (as that's the way I'm using to 
> stay current)

Your correct, recompiling the host system does not affect the 
jailed systems.  However there are ways around that.  I use a 
tool called ezjail.  It allows you to update a jail with a single 

See and the handbook 
for more details.


More information about the freebsd-questions mailing list