Can a home LAN server use a jail as a router?
Da Rock
freebsd-questions at herveybayaustralia.com.au
Mon Dec 6 03:57:19 UTC 2010
On 12/06/10 12:29, Xn Nooby wrote:
> Hello. Is it possible to use FreeBSD to create three "jails" on one
> box, so that one jail can be a router to the internet, and the other
> two can be webservers? I wanted to create an environment where if one
> webserver got compromised, the other webserver would be unaffected. I
> have old hardware, so I do not have hardware VT in the chip. I thought
> I previously read that a jail could only have 1 NIC, but I have not
> been able to confirm that. That would spoil my router plan, if true.
>
> I'm more familiar with Linux than FreeBSD, but Linux seems to be
> moving from Xen towards KVM (which requires VT). I could use Xen,
> probably on Debian if I did. Xen seems to require a specially built
> Linux kernel on Debian, and I'm not sure I like that.
>
> I'd also like to set up a personal samba file-server, but I'm deathly
> afraid the machine would get hacked while wired to the net. So I would
> also like to make a jail to be a samba server.
>
> All these jails are predicated on one of them being able to act as a
> router between the internet and my home LAN. I want some "jails" to
> talk the internet (via the router jail), and some "jails" to only be
> available in my house.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
You can have more than one IP, but the actual config of specific NICs is
done by the host. As for being a router I don't know- I'm not sure you
can access the sysctl needed, or whether the sysctl will affect the host
(and therefore other services and jails). And thirdly I'm not sure of
the validity of it.
Jail your services and run a firewall (pf?) on the host. That will
control who can get to what, and allow you to 'route' your network the
way you want to. I'm sure someone else could point out any security
flaws in this scenario, but it should do what you want and be relatively
secure.
I'd be reading up on Jails and understanding exactly what they are and
what they are not too. They aren't actual 'emulators' per se, they are
more a locked up chroot system. Make sure that is exactly what you
want/need.
HTH
More information about the freebsd-questions
mailing list