Jails and loopback interfaces
No at SPAM at mgEDV.net
nospam at mgedv.net
Thu May 4 15:07:13 UTC 2006
> In fact, it is a good idea to _always_ bind jails to non-
> routable loopback IPs. For example:
> jail 1 (webserver) on 127.0.0.2
> jail 2 (database) on 127.0.0.3
> If a service needs to be accessible from the outside, you
> can use IPFW FWD rules to forward packets destined to the
> real IP to the jail's loopback IP.
ok, technically i get this, but wouldn't it confuse the daemons
and slow down the network connections if i use packet forwarding
for each packet let's say a daemon reads from syslog-services
and writes to databases?
> Of course there's no problem accessing the database from
> the webserver. Note that you have complete control over
> who can access what, by using your favourite packet filter
> (IPFW, IPF, PF).
this part i definitely don't get. let's assume this one:
192.168.10.1 = jail ip of the ws
127.0.0.1 = jail ip of the db
sending to 127.0.0.1 is not possible on 192.168.134.1 (kernel
re-routes it to 192.168.134.1 if man jail is correct)
if i setup forwarding rules i'd have to setup something for
the real ip's port, no?
and, i assumed that the setup mentioned can live without additional
firewall rules.
i for sure have some "what the hell... how-to" problem with jails, currently
;-)
More information about the freebsd-security
mailing list