How to connect a jail to the web ?
m.seaman at infracaninophile.co.uk
Wed Aug 11 13:50:46 UTC 2010
On 11/08/2010 14:29, Randal L. Schwartz wrote:
>>>>>> "Matthew" == Matthew Seaman <m.seaman at infracaninophile.co.uk> writes:
> Matthew> Yes, you can achieve the same effect using firewall rules, but
> Matthew> as I have occasionally said before, firewalls should be
> Matthew> optional -- ideally your system should be secure even if you
> Matthew> turn the firewall off.
> Well, I already have pf fired up to deal with web and ssh rate limiting,
> so firing up a natd seems a bit redundant.
I meant that you could block access to private servers which need to
listen on public network ports by just using firewall rules, as opposed
to making the whole jail hang off a private interface and just
forwarding selected traffic to it.
For the second case, you would need pf to do the NAT'ing (or ipfw+natd
if that's your preference). With this trick of binding the sensitive
daemons to an address on the loopback, you are still secure even if pf
gets turned off. Of course, "secure" is not necessarily the same as
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20100811/7418eb01/signature.pgp
More information about the freebsd-questions