How to connect a jail to the web ?
Rocky Borg
rrborg at speakeasy.net
Wed Aug 11 01:07:36 UTC 2010
On 8/10/2010 5:02 PM, Fbsd8 wrote:
> 1. ping is a security risk from within a jail and is disabled by
> design. (read jail(8) for details). No use using a jail if the first
> thing you do is re-enable ping in the jail. To test for public
> internet connection from within a jail use dig or whois commands.
>
There is a vast difference between testing a network connection and
leaving something in for live deployment. Tools like ping and traceroute
are for network diagnostics. You can easily run into a situation where
dig and whois don't work but ping/traceroute will in which case you
quickly realize hostnames aren't resolving in a jail (or you can find
out where exactly packets stopped at). Meanwhile the person using only
dig and whois might be spinning their wheels trying to fix problems that
aren't really problems. They might of created a jail and have everything
setup except they forgot to create an /etc/resolv.conf in the jail.
There is nothing wrong with allowing raw sockets to get up and running
and then changing it back (the jail man page states to use caution with
raw sockets not a blatant don't do it).
> 2. Using the hosts firewall to drive traffic to a jail is a sign you
> have your jail incorrectly configured or do not understand how jails
> are intended to work.
>
If you have jails assigned to non routable ip's (i.e. 10.0.0.2,
10.0.0.3) how else would you redirect traffic coming in from your hosts
ip:(http_port, dns_port, etc..) to the corresponding jail that handles
it. I've read a bunch of stuff on jails and unless I missed something
(which is totally possible) using a NAT that's part of a firewall seems
like pretty standard fare. How else would you go about it?
> 3. Jail do not have a network stack of their own, so they cant have a
> firewall. The host's firewall and and network stack are in control.
>
The documentation is rather sparse since it's so new and I personally
haven't used it but FreeBSD 8 has VIMAGE (network stack virtualization).
http://wiki.freebsd.org/Image/VNETSamples
http://bsdbased.com/2009/12/06/freebsd-8-vimage-epair-howto
http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet
> 4. There are 2 utilities for creating jails. Qjail the better
> documented of the 2, is designed for the novice which clearly you are.
> I strongly suggest you checkout
> http://sourceforge.net/projects/qjail
You should probably preface this by saying you're the author of Qjail
and have been actively promoting it in a few places including the fbsd
forums. Nothing wrong with that I guess, but I still haven't been able
to figure out how it's any different(better?) than ezjail(which has both
an excellent website and man page).
More information about the freebsd-questions
mailing list