How to restrict jail's network access?
Alejandro Imass
ait at p2ee.org
Wed Jun 8 15:30:04 UTC 2011
On Wed, Jun 8, 2011 at 10:50 AM, Erik Nørgaard <norgaard at locolomo.org> wrote:
> Hi:
>
> I'm planning to move services to run in jails. Two jails:
>
> 1: Mail related: postfix, cyrus imap and openldap
> 2: Web related: apache and postgresql
>
> No service should be able to connect out of the jail to remote hosts, except
> for postfix that need to connect out to port 25 for delivery to other
> domains.
>
Jails usually run in a private network by default, each has a private
IP which is alias of the lo device
In fact you usually have explictly NAT ports from the base system to the Jails.
Try EzJail (yep. easy piecy as it's name suggests) and check-out these
references:
http://erdgeist.org/arts/software/ezjail/
http://www.freebsddiary.org/ezjail.php
http://www.scottro.net/qnd/qnd-ezjail.html
http://www.bsdguides.org/guides/freebsd/security/manage_jails
Best,
--
Alejandro Imass
P.S. you can always hire you initial set-up/training, I'm sure many
here would be more than happy to do so ;-)
More information about the freebsd-questions
mailing list