RE: Jails and loopback interfaces

On Thu, 4 May 2006, No@SPAM@mgEDV.net wrote:


I recently did something like this. I have a webserver in a jail that
needs to talk to a database, and the webserver is the only thing that
should talk to the databse.

My solution was to use 2 jails: one for the webserver, and another for the

database.

Jail 1:
* runs webserver
* binds to real interface with real, routable IP

Jail 2:
* runs database server
* binds to loopback interface, isn't directly reachable
from outside the box

just to clarify that for me: you did setup this layout or you
tried to setup this? as i read it, i understand that you did!

I did set it up. My scenario is up and functioning in production.

i tried exactly the same but currently jails are bound to the specific
ip-address assigned with them so i wonder, how the webserver on a real
ip-address can communicate with the database bound to the loopback ip?
if you could kindly tell, how you solved this issue (we're using 6.1).

Packets leaving a jail are not limited to leaving the host machine on the same interface that the jail is bound to. The jail is limited to sending packets from, and receiving packets to the IP address that its bound to, but those packets can go out, or come in, any interface on the host machine. You don't need to do any special routing or firewall or NAT or anything to get a jail to be able to talk to the host.


/-------------------------------------------------------------------------/
Psychiatrists say that one out of four people are mentally ill. Check
three friends. If they're OK, you're it.

finger://bigby@xxxxxxxxxxxxx
http://www.ephemeron.org/~bigby/
irc://irc.ephemeron.org/#the_pub
news://news.ephemeron.org/alt.lemurs
/-------------------------------------------------------------------------/
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Jails and loopback interfaces
    ... I have a webserver in a jail that ... >> database. ... packets forwarded to another system will usually be rejected by ...
    (FreeBSD-Security)
  • Re: Jails and loopback interfaces
    ... I have a webserver in a jail that needs to talk to a database, and the webserver is the only thing that should talk to the databse. ... ipfw add allow tcp from any to $JAIL keep-state setup ...
    (FreeBSD-Security)
  • Re: Masqed client cannot access masqed server
    ... >> sharing app and the aforementionned webserver. ... but port 80 connections time out. ... The internal client looks at the destination address and its own address ... then the router no longer drops the packets (check the syslog ...
    (comp.os.linux.networking)
  • Re: Jails and loopback interfaces
    ... * runs webserver ... binds to real interface with real, ... * runs database server ... it is a good idea to _always_ bind jails to non- ...
    (FreeBSD-Security)
  • Re: Query regarding virtual path and physical path
    ... anything Web Server specific. ... I have httpd webserver and once i give it goes to remote ... The database file cannot be found. ... I set virtual path in my webserver. ...
    (microsoft.public.windowsce.embedded)