correctly configuring PF with jailed environments

Fbsd8 fbsd8 at a1poweruser.com
Sun Aug 10 12:02:49 UTC 2014


Norman Khine wrote:
> hello, i have a web application running 3 jail environments one for Nginx
> Web server, one for MongoDB/Redis and one for my Node.js application
> 
> this is my current pf.conf file
> 
> https://gist.github.com/nkhine/d03ea23a749c47bcc4d0
> 
> this works, as there is no access to my node app nor any of the dbs from
> public interfaces.
> 
> the rules come out as
> 
> # pfctl -s rules
> scrub out log on igb0 all random-id min-ttl 15 set-tos 0x1c fragment
> reassemble
> scrub in log on igb0 all min-ttl 15 fragment reassemble
> scrub in all fragment reassemble
> 
> i find that on my webserver i get timeouts and the html application does not
> load up quickly!
> 
> also, are there any improvements i can make to this as to ensure a more
> secure environment?
> 
> any advice much appreciated
> 

I do not see this as a jail or pf problem.
Look at commenting out any mod_* from the httpd.conf file that the html 
application does not use. Check that the 3 apache jails are not using 
the same service port (80). Do not use the apache default directory 
location for holding your html application files. Disable the pf 
firewall in rc.conf and test if this speeds up apache.






More information about the freebsd-questions mailing list