best practice for locking down private jail?
Aleksandr Miroslav
alexmiroslav at gmail.com
Fri Dec 4 02:45:18 UTC 2015
On Wed, Dec 2, 2015 at 11:39 PM, Steve O'Hara-Smith <steve at sohara.org> wrote:
> I would set up two jails - one as the upload jail the other the web
> server and use a cron job on the host to move verified mp3 files
Excellent advice, I will do just that.
> don't use Apache, use a minimalist web server that can only serve
> static files (thttpd can be set up this way - there are others).
thttpd doesn't look like it's been updated in a while, but a bit of
Googling shows that lighttpd, nginx, and hiawatha are all small secure
web servers. Any recommendations from these?
> Finally I'd use pf to lock down the traffic so that nothing gets to
> the jails that shouldn't.
I only have redirects for both the web server jail and the file uploader jail
that look like this:
rdr pass on $EXT_NIC inet proto tcp from any to $PUBLIC_IP port =
$JAIL_UPLOADER_SSH_EXTERNAL_PORT -> $JAIL_UPLOADER_IP port
$JAIL_UPLOADER_SSH_PORT
rdr pass on $EXT_NIC inet proto tcp from any to $PUBLIC_IP port =
$JAIL_WEB_HTTP_EXTERNAL_PORT -> $JAIL_WEB_IP port
$JAIL_WEB_HTTP_PORT
And both jails are on private IPs that don't talk to each other or the
outside host/world. Is this sufficient or should I add blocks for these
private jails as well?
More information about the freebsd-questions
mailing list