Re: jails, ipfilter & stunnel

From: Uwe Doering (gemini_at_geminix.org)
Date: 07/14/03

  • Next message: Dag-Erling Smørgrav: "Re: Login.Access"
    Date: Mon, 14 Jul 2003 11:44:57 +0200
    To: "V. Jones" <vjones62@earthlink.net>
    
    

    V. Jones wrote:
    >>You don't have to have multiple IP aliases for multiple jails. Or at
    >>least there is no technical necessity for this (in FreeBSD 4.x, that is,
    >>don't kown about 5.x). If it's just about running server processes in
    >>their own jail (no port number conflicts) you can have all jails on the
    >>same IP address and do the IP filtering (if necessary at all in this
    >>scenario) based on port numbers.
    >
    > Okay, I didn't realize I could run more than one jail on one ip address. I guess if I needed ssh on each jailed server I could just make sure the port number is unique.

    True, sshd would cause a port conflict. Since you cannot inject
    processes into already running jails in FreeBSD 4.x you better have an
    sshd in each of them. I agree that different port numbers would be the
    way to go here.

    >>>Finally, I'd like to use SSL to offer secure web connections & secure
    >>
    >>email
    >>
    >>>without having to buy two certificates. Am I getting too cute if I
    >>
    >>accept
    >>
    >>>ssl connections on one ip address and use stunnel to route them to
    >
    > the
    >
    >>>appropriate jailed server?
    >>
    >>In case of all jails on one IP address this problem goes away, too. You
    >>could define a generic domain name for the SSL stuff, for instance
    >>'secure.domain.tld', get a certificate for that and use it for web as
    >>well as email and other purposes.
    >>
    >> Uwe
    >>
    >
    > This counfuses me - doesn't the host name have to match the certificate? Can two jails have the same host name too?

    Two jails can have the same name. With

       sysctl jail.set_hostname_allowed=[01]

    you can even configure whether you can set the host names from the
    inside, to whatever you want.

    Apart from this, a server's host name isn't really important for most
    services and daemons. You can usually set the names under which they
    are supposed to operate in their respective config files. This is
    certainly true for Apache, while POP3/IMAP4 daemons usually don't care
    about the host name they get contacted with. There it is just important
    that you use 'secure.domain.tld' on the client side, in order to match
    the certificate's domain name. And for SMTP you can point the DNS MX
    records to 'secure.domain.tld'. All this has nothing to do with the
    host name used for the respective jail.

    Hope this wasn't too confusing.

        Uwe

    -- 
    Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
    gemini@geminix.org  |  http://www.escapebox.net
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Dag-Erling Smørgrav: "Re: Login.Access"