How to restrict jail's network access?
Erik Nørgaard
norgaard at locolomo.org
Wed Jun 8 14:50:14 UTC 2011
Hi:
I'm planning to move services to run in jails. Two jails:
1: Mail related: postfix, cyrus imap and openldap
2: Web related: apache and postgresql
No service should be able to connect out of the jail to remote hosts,
except for postfix that need to connect out to port 25 for delivery to
other domains.
I don't want to allow a ssh out of a jail to the local node, as that
could allow a compromised jail to jump to the host server - even if only
theoretically.
Both jails need to access the named that runs chrooted on the host
server but may not access remote DNS services.
Otherwise than this there is, any connection to remote nodes or the host
server on the loopback interface must be blocked.
I don't have extra IPs to create jails with separate interfaces, but
there is no conflicting port assignments so this shouldn't be a problem.
I have considered to isolate the jails by only offering a loopback
interface and let the firewall impose these policies, but is this at all
possible?
How would you go about implementing the above policies?
Thanks, Erik
More information about the freebsd-questions
mailing list