to jail or not to jail

David Mehler dave.mehler at gmail.com
Thu Jun 6 04:41:23 UTC 2019 

Hello,

Thanks for your suggestions. That's way over my head.

I don't have zfs going on this setup. I do have a /16 ipv6
host-address. So what I am needing help with and i'm sure these are
beginner questions:

1. how do I divide the /64 ipv6 address so that each jail can have an
ipv6 address as well as an ipv4 address.
2. I'm needing each jail to log to the host machine. I'm wanting to do
this because I've got fail2ban going on the host and want to ban
addresses that are hitting on the jails.

Thanks.
Dave.


On 6/3/19, Julien Cigar <julien at perdition.city> wrote:
> On Sat, Jun 01, 2019 at 08:30:31PM -0400, David Mehler wrote:
>> Hello,
>
> Hello,
>
>>
>> I've got a newly installed FreeBSD 12 vps. It's going to be running a
>> web server/php hosting multiple sites, with letsencrypt tls
>> certificates for each. It's also going to be running an email server,
>> postfix, dovecot, rspamd, mysql database backend, again with the same
>> letsencrypt tls certificates. Previously I've had all this on one
>> host.
>>
>> What I'm wondering is if I should jail off these services, I've got a
>> zfs setup, still trying to wrap my head around that, and am wondering
>> should I run the database in one jail, the webserver/php in another
>> jail, and the email server in a third jail? If I do this how would I
>> get the tls certificates in to each jail, I'm looking for the maximum
>> automation.
>>
>
> I would highly suggest to jail everything, not only for the added
> security, but also for maintainability.
>
> Suggestion:
> - Script everything with some CMS (I highly recommend SaltStack)
> - Use ZFS (and clones) and two datasets per jail: one for the things you
>   deploy with your CMS and one for the "data" (= things generated by
>   the installed applications within the jail), with some nullfs mounts
>   from the HOST into the jails. It will facilitate the updates a lot.
>   At the end the goal is to be able to zfs destroy tank/jails/your_jail
>   and re-create it from scratch with one command.
> - With VIMAGE, tagged VLANs, some orchestration tool (SaltStack), and
>   ZFS snapshots send/receive your can achieve nearly real-time
>   migration.
> - Use HAProxy and SNI, and manage certs from there. At work we have an
>   orchestration script which 1) generate Let's Encrypt certificates in
>   somejail (certbot.lan) and if it succeed 2) rsync them on the HAProxy
>   nodes
>
> Julien
>
>> Thanks.
>> Dave.
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>
> --
> Julien Cigar
> Belgian Biodiversity Platform (http://www.biodiversity.be)
> PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
> No trees were killed in the creation of this message.
> However, many electrons were terribly inconvenienced.
>

More information about the freebsd-questions mailing list