Re: Jails and loopback interfaces

No@SPAM@mgEDV.net <nospam@xxxxxxxxx> wrote:

In fact, it is a good idea to _always_ bind jails to non-
routable loopback IPs. For example:

jail 1 (webserver) on 127.0.0.2
jail 2 (database) on 127.0.0.3

If a service needs to be accessible from the outside, you
can use IPFW FWD rules to forward packets destined to the
real IP to the jail's loopback IP.

ok, technically i get this, but wouldn't it confuse the daemons

No, it doesn't confuse the daemons. Why should it?

and slow down the network connections if i use packet forwarding
for each packet let's say a daemon reads from syslog-services
and writes to databases?

No, the overhead is negligible. The only thing that IPFW
FWD does is to adjust the forwarding path of the packet.

Of course there's no problem accessing the database from
the webserver. Note that you have complete control over
who can access what, by using your favourite packet filter
(IPFW, IPF, PF).

this part i definitely don't get. let's assume this one:

192.168.10.1 = jail ip of the ws
127.0.0.1 = jail ip of the db

Don't use those IPs. In particular it's probably not a
good idea to use localhost as a jail IP. Use only loopback
IPs (other than localhost), like the example that I wrote
above.

And of course you should use appropriate packetfilter
rules to enforce what kind of access between the jails
is allowed. Only allow what you need.

Best regards
Oliver

--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"... there are two ways of constructing a software design: One way
is to make it so simple that there are _obviously_ no deficiencies and
the other way is to make it so complicated that there are no _obvious_
deficiencies." -- C.A.R. Hoare, ACM Turing Award Lecture, 1980
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • RE: Jails and loopback interfaces
    ... jail 2 (database) on 127.0.0.3 ... and slow down the network connections if i use packet forwarding ... (IPFW, IPF, PF). ...
    (FreeBSD-Security)
  • Re: Stack virtualization (was: running out of mbufs?)
    ... However any packet classification ... clean and separate ip stacks in each jail. ... We also currently do not have a clean way of associating multiple ipv4 ... in a very clean way using virtual ip stacks as in Marcos patch. ...
    (freebsd-net)
  • source addresses for IP traffic between jails
    ... running using aliased IPs on the same interface. ... When I use tcpdump to look at TCP traffic from one jail to another, ... and detination IP being that of the jail IP the particular packet is ... interface types I know about that allow creation of pseudo-interfaces are ...
    (FreeBSD-Security)
  • Re: Jails and loopback interfaces
    ... Don't use those IPs. ... good idea to use localhost as a jail IP. ... IPs (other than localhost), like the example that I wrote ... I would strongly recommend against using localhost as a jail IP unless you have a specific reason *to* do that - in other words, just assign an alias to the loopback adapter and use that alias for the jail. ...
    (FreeBSD-Security)
  • Re: Jails and IP Aliasing
    ... using firewall rules to redirect the traffic accordingly. ... Something like a loopback address inside the jail. ...
    (freebsd-questions)