Re: jails, ipfilter & stunnel
From: Uwe Doering (gemini_at_geminix.org)
Date: Mon, 14 Jul 2003 11:44:57 +0200 To: "V. Jones" <email@example.com>
V. Jones wrote:
>>You don't have to have multiple IP aliases for multiple jails. Or at
>>least there is no technical necessity for this (in FreeBSD 4.x, that is,
>>don't kown about 5.x). If it's just about running server processes in
>>their own jail (no port number conflicts) you can have all jails on the
>>same IP address and do the IP filtering (if necessary at all in this
>>scenario) based on port numbers.
> Okay, I didn't realize I could run more than one jail on one ip address. I guess if I needed ssh on each jailed server I could just make sure the port number is unique.
True, sshd would cause a port conflict. Since you cannot inject
processes into already running jails in FreeBSD 4.x you better have an
sshd in each of them. I agree that different port numbers would be the
way to go here.
>>>Finally, I'd like to use SSL to offer secure web connections & secure
>>>without having to buy two certificates. Am I getting too cute if I
>>>ssl connections on one ip address and use stunnel to route them to
>>>appropriate jailed server?
>>In case of all jails on one IP address this problem goes away, too. You
>>could define a generic domain name for the SSL stuff, for instance
>>'secure.domain.tld', get a certificate for that and use it for web as
>>well as email and other purposes.
> This counfuses me - doesn't the host name have to match the certificate? Can two jails have the same host name too?
Two jails can have the same name. With
you can even configure whether you can set the host names from the
inside, to whatever you want.
Apart from this, a server's host name isn't really important for most
services and daemons. You can usually set the names under which they
are supposed to operate in their respective config files. This is
certainly true for Apache, while POP3/IMAP4 daemons usually don't care
about the host name they get contacted with. There it is just important
that you use 'secure.domain.tld' on the client side, in order to match
the certificate's domain name. And for SMTP you can point the DNS MX
records to 'secure.domain.tld'. All this has nothing to do with the
host name used for the respective jail.
Hope this wasn't too confusing.
-- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers firstname.lastname@example.org | http://www.escapebox.net _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "firstname.lastname@example.org"