Re: Jails and loopback interfaces

Bigby Findrake <bigby@xxxxxxxxxxxxx> wrote:
Oliver Fromme wrote:
In fact, it is a good idea to _always_ bind jails to non-
routable loopback IPs. For example:

jail 1 (webserver) on
jail 2 (database) on

If a service needs to be accessible from the outside, you
can use IPFW FWD rules to forward packets destined to the
real IP to the jail's loopback IP.

Wouldn't you need to use some form of NAT and not forwarding? This is
from IPFW(8) (6.0-RELEASE):

The fwd action does not change the contents of the packet at all.
In particular, the destination address remains unmodified, so
packets forwarded to another system will usually be rejected by
that system unless there is a matching rule on that system to
capture them. For packets forwarded locally, the local address
of the socket will be set to the original destination address of
the packet.

It seems to me that the jail might reject the packets,

No, a jail doesn't reject anything, because jails don't
have their own TCP/IP stack or routing table (actually it
would be very nice if they did).

Trust me, it works. I've got such setups running in
production. ;-)

and even if it
didn't, would the replies from the jail get the right source address put
on them?

That's right. When processes within a jail open a network
socket, those sockets are forced to bind to the jail's IP
address, so all packets originating from that jail will
have the jail's IP as the source address. Therefore you
have to install a NAT rule.

Forwarding doesn't seem to be the way to accomplish what you're talking

Yes, packet forwarding is the perfect way to accomplish it.
It's also very efficient; the overhead is negligible.

I always recommend to use loopback IPs for jails, because
it is the most secure way to setup jails, since loopback
IPs are guaranteed to never leave the local machine. So
an attacker who manages to take control of the jail (in
whole or partly) cannot use it to launch further attacks.
Of course, that's only an _additional_ safety measure,
not the only one.

Best regards

Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD:
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"What is this talk of 'release'? We do not make software 'releases'.
Our software 'escapes', leaving a bloody trail of designers and quality
assurance people in its wake."
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"