Best practices about Jails

Adam Vande More amvandemore at gmail.com
Wed Apr 4 22:32:00 UTC 2012


On Wed, Apr 4, 2012 at 3:16 AM, Andrea Venturoli <ml at netfence.it> wrote:

> Second question: from inside the jail I can access all services on
> localhost (eg. telnet localhost pop3, where a pop3 server is running on the
> host). Can this be avoided, e.g. with ipfw?
> Ideally, since this jail will run only one deamon and it will be accessed
> through Apache mod_proxy from the host, I'll just need inbound access to
> its port and outbound access to smtp and web proxy on the host system. No
> direct access from/to other hosts.
> Is this possible?
>

I use http://druidbsd.sourceforge.net/vimage.shtml to manage VIMAGE jails.
It works well.  I don't use any of the jail frameworks in ports because I
don't run a large amount of jails which is where one sees the greatest
benefit from them.  Of course they make certain optimization and procedures
easier, but there is something to be said for learning the canonical way
jails operate before implementing them in a more abstract framework.  My
statements are not considering the rc.d/jail* and vimage package as
frameworks(although they are in a way at least).

-- 
Adam Vande More


More information about the freebsd-questions mailing list