Re: jails, ipfilter & stunnel

From: Uwe Doering (gemini_at_geminix.org)
Date: 07/14/03

  • Next message: Dag-Erling Smørgrav: "Re: Login.Access"
    Date: Mon, 14 Jul 2003 11:44:57 +0200
    To: "V. Jones" <vjones62@earthlink.net>
    
    

    V. Jones wrote:
    >>You don't have to have multiple IP aliases for multiple jails. Or at
    >>least there is no technical necessity for this (in FreeBSD 4.x, that is,
    >>don't kown about 5.x). If it's just about running server processes in
    >>their own jail (no port number conflicts) you can have all jails on the
    >>same IP address and do the IP filtering (if necessary at all in this
    >>scenario) based on port numbers.
    >
    > Okay, I didn't realize I could run more than one jail on one ip address. I guess if I needed ssh on each jailed server I could just make sure the port number is unique.

    True, sshd would cause a port conflict. Since you cannot inject
    processes into already running jails in FreeBSD 4.x you better have an
    sshd in each of them. I agree that different port numbers would be the
    way to go here.

    >>>Finally, I'd like to use SSL to offer secure web connections & secure
    >>
    >>email
    >>
    >>>without having to buy two certificates. Am I getting too cute if I
    >>
    >>accept
    >>
    >>>ssl connections on one ip address and use stunnel to route them to
    >
    > the
    >
    >>>appropriate jailed server?
    >>
    >>In case of all jails on one IP address this problem goes away, too. You
    >>could define a generic domain name for the SSL stuff, for instance
    >>'secure.domain.tld', get a certificate for that and use it for web as
    >>well as email and other purposes.
    >>
    >> Uwe
    >>
    >
    > This counfuses me - doesn't the host name have to match the certificate? Can two jails have the same host name too?

    Two jails can have the same name. With

       sysctl jail.set_hostname_allowed=[01]

    you can even configure whether you can set the host names from the
    inside, to whatever you want.

    Apart from this, a server's host name isn't really important for most
    services and daemons. You can usually set the names under which they
    are supposed to operate in their respective config files. This is
    certainly true for Apache, while POP3/IMAP4 daemons usually don't care
    about the host name they get contacted with. There it is just important
    that you use 'secure.domain.tld' on the client side, in order to match
    the certificate's domain name. And for SMTP you can point the DNS MX
    records to 'secure.domain.tld'. All this has nothing to do with the
    host name used for the respective jail.

    Hope this wasn't too confusing.

        Uwe

    -- 
    Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
    gemini@geminix.org  |  http://www.escapebox.net
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Dag-Erling Smørgrav: "Re: Login.Access"

    Relevant Pages

    • Re: FBSD jail versus VMWare? What services do YOU run in a jail?
      ... The have Fusion on Mac, ESXi for hosts, vCenter for ESXi host management, ... jails do not offer anything beyond the same physical server. ... Opencontrail project details on FreeBSD: ... This in itself is quite interesting, opencontrail, openstack, and bhyve ...
      (freebsd-questions)
    • Re: Re: Re: jails, ipfilter & stunnel
      ... sshd would cause a port conflict. ... > Can two jails have the same host name too? ... > you can even configure whether you can set the host names from the ... Okay, thanks. ...
      (FreeBSD-Security)
    • Re: "hosts" file for jails (ezjail)
      ... the same hosts file, preferably one stored somewhere on the host OS? ... the whole point of jails being kept separate from the host filesystem ... what you want is against the idea of jails. ...
      (freebsd-questions)
    • jail - unable to print from inside jail
      ... My host was built with as a minimal FreeBSD 7.2-Release ... I added ezjail and created two jails. ... I can access the administration website. ... HP PhotoSmart 7350 Foomatic/hpijs ...
      (freebsd-questions)
    • Re: [10.0-amd64 host and 9.2-i386 jail] cpio: Cant update time for...
      ... I've come across a problem and can't diagnose it. ... One can reproduce it by installing at 10-amd64 host poudriere, ... There are no problems at 10-amd64 and 10-i386 jails. ... atim: 1380907943.417817881, mtim: 1380907943.417817881, ctim: ...
      (freebsd-current)