Re: Jails and loopback interfaces



No@SPAM@mgEDV.net <nospam@xxxxxxxxx> wrote:

I recently did something like this. I have a webserver in a jail that
needs to talk to a database, and the webserver is the only thing that
should talk to the databse.

My solution was to use 2 jails: one for the webserver, and another for the

database.

Jail 1:
* runs webserver
* binds to real interface with real, routable IP

Jail 2:
* runs database server
* binds to loopback interface, isn't directly reachable
from outside the box

just to clarify that for me: you did setup this layout or you
tried to setup this? as i read it, i understand that you did!

i tried exactly the same but currently jails are bound to the specific
ip-address assigned with them so i wonder, how the webserver on a real
ip-address can communicate with the database bound to the loopback ip?
if you could kindly tell, how you solved this issue (we're using 6.1).

In fact, it is a good idea to _always_ bind jails to non-
routable loopback IPs. For example:

jail 1 (webserver) on 127.0.0.2
jail 2 (database) on 127.0.0.3

If a service needs to be accessible from the outside, you
can use IPFW FWD rules to forward packets destined to the
real IP to the jail's loopback IP.

Of course there's no problem accessing the database from
the webserver. Note that you have complete control over
who can access what, by using your favourite packet filter
(IPFW, IPF, PF).

Best regards
Oliver

--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"One of the main causes of the fall of the Roman Empire was that,
lacking zero, they had no way to indicate successful termination
of their C programs."
-- Robert Firth
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • RE: Jails and loopback interfaces
    ... * runs webserver ... binds to real interface with real, ... * runs database server ...
    (FreeBSD-Security)
  • Re: Query regarding virtual path and physical path
    ... anything Web Server specific. ... I have httpd webserver and once i give it goes to remote ... The database file cannot be found. ... I set virtual path in my webserver. ...
    (microsoft.public.windowsce.embedded)
  • Re: freebsd jail: web and database server config questions
    ... The webserver will need to connect to the database system on startup and update the database based on client access. ... I would setup two jails on the system and run the database in one jail and the webserver in the other. ... I thought that a key-feature of a jailed system is that it can't access resources outside the jail. ...
    (freebsd-questions)
  • Re: Secure Web-Based Administration
    ... > The best option would be to set up sudo to allow this webserver ... somewhat nicer and imho nuch more secure. ... These very same credentials (password + ... passphrase) are then used to store the changed data in a database. ...
    (Focus-Linux)
  • RE: Jails and loopback interfaces
    ... * runs webserver ... * runs database server ... Packets leaving a jail are not limited to leaving the host machine on the same interface that the jail is bound to. ... The jail is limited to sending packets from, and receiving packets to the IP address that its bound to, but those packets can go out, or come in, any interface on the host machine. ...
    (FreeBSD-Security)