Re: Jails and loopback interfaces



No@SPAM@mgEDV.net <nospam@xxxxxxxxx> wrote:

I recently did something like this. I have a webserver in a jail that
needs to talk to a database, and the webserver is the only thing that
should talk to the databse.

My solution was to use 2 jails: one for the webserver, and another for the

database.

Jail 1:
* runs webserver
* binds to real interface with real, routable IP

Jail 2:
* runs database server
* binds to loopback interface, isn't directly reachable
from outside the box

just to clarify that for me: you did setup this layout or you
tried to setup this? as i read it, i understand that you did!

i tried exactly the same but currently jails are bound to the specific
ip-address assigned with them so i wonder, how the webserver on a real
ip-address can communicate with the database bound to the loopback ip?
if you could kindly tell, how you solved this issue (we're using 6.1).

In fact, it is a good idea to _always_ bind jails to non-
routable loopback IPs. For example:

jail 1 (webserver) on 127.0.0.2
jail 2 (database) on 127.0.0.3

If a service needs to be accessible from the outside, you
can use IPFW FWD rules to forward packets destined to the
real IP to the jail's loopback IP.

Of course there's no problem accessing the database from
the webserver. Note that you have complete control over
who can access what, by using your favourite packet filter
(IPFW, IPF, PF).

Best regards
Oliver

--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"One of the main causes of the fall of the Roman Empire was that,
lacking zero, they had no way to indicate successful termination
of their C programs."
-- Robert Firth
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"