RE: Jails and loopback interfaces

I recently did something like this. I have a webserver in a jail that
needs to talk to a database, and the webserver is the only thing that
should talk to the databse.

My solution was to use 2 jails: one for the webserver, and another for the


Jail 1:
* runs webserver
* binds to real interface with real, routable IP

Jail 2:
* runs database server
* binds to loopback interface, isn't directly reachable
from outside the box

just to clarify that for me: you did setup this layout or you
tried to setup this? as i read it, i understand that you did!

i tried exactly the same but currently jails are bound to the specific
ip-address assigned with them so i wonder, how the webserver on a real
ip-address can communicate with the database bound to the loopback ip?
if you could kindly tell, how you solved this issue (we're using 6.1).

freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Jails and loopback interfaces
    ... * runs webserver ... binds to real interface with real, ... * runs database server ... it is a good idea to _always_ bind jails to non- ...
  • Re: Query regarding virtual path and physical path
    ... anything Web Server specific. ... I have httpd webserver and once i give it goes to remote ... The database file cannot be found. ... I set virtual path in my webserver. ...
  • Re: freebsd jail: web and database server config questions
    ... The webserver will need to connect to the database system on startup and update the database based on client access. ... I would setup two jails on the system and run the database in one jail and the webserver in the other. ... I thought that a key-feature of a jailed system is that it can't access resources outside the jail. ...
  • Re: Secure Web-Based Administration
    ... > The best option would be to set up sudo to allow this webserver ... somewhat nicer and imho nuch more secure. ... These very same credentials (password + ... passphrase) are then used to store the changed data in a database. ...
  • RE: Jails and loopback interfaces
    ... * runs webserver ... * runs database server ... Packets leaving a jail are not limited to leaving the host machine on the same interface that the jail is bound to. ... The jail is limited to sending packets from, and receiving packets to the IP address that its bound to, but those packets can go out, or come in, any interface on the host machine. ...