How to connect a jail to the web ?
Matthew Seaman
m.seaman at infracaninophile.co.uk
Wed Aug 11 07:42:50 UTC 2010
On 11/08/2010 01:55, Randal L. Schwartz wrote:
>>>>>> "Fbsd8" == Fbsd8 <fbsd8 at a1poweruser.com> writes:
>
> Fbsd8> 2. Using the hosts firewall to drive traffic to a jail is a sign
> Fbsd8> you have your jail incorrectly configured or do not understand
> Fbsd8> how jails are intended to work.
>
> OK, I'll bite. I thought this was the only way to do this. Can you
> elaborate? I'll even accept URL pointers to go read. :)
>
Fbsd8's contention is ... contentious. Giving your jail an IP on the
loopback i/f, and then using NAT to redirect traffic for certain
selected ports lets you run services in the jail that need to bind to
some network address but that you never want exposed to the Internet.
Remember, unless you're using VIMAGE, jails don't have a loopback i/f of
their own. VIMAGE is cool, but as it's still incompatible with various
other kernel bits, I don't think it's quite ready for primetime yet.
Yes, you can achieve the same effect using firewall rules, but as I have
occasionally said before, firewalls should be optional -- ideally your
system should be secure even if you turn the firewall off.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20100811/7182ff66/signature.pgp
More information about the freebsd-questions
mailing list