jails, ipfilter & stunnel

V. Jones vjones62 at earthlink.net
Sun Jul 13 09:49:15 PDT 2003


> You don't have to have multiple IP aliases for multiple jails.  Or at
> least there is no technical necessity for this (in FreeBSD 4.x, that is,
> don't kown about 5.x).  If it's just about running server processes in
> their own jail (no port number conflicts) you can have all jails on the
> same IP address and do the IP filtering (if necessary at all in this
> scenario) based on port numbers.
>

Okay, I didn't realize I could run more than one jail on one ip address.  I guess if I needed ssh on each jailed server I could just make sure the port number is unique.


> > Finally, I'd like to use SSL to offer secure web connections & secure
> email
> > without having to buy two certificates.  Am I getting too cute if I
> accept
> > ssl connections on  one ip address and use stunnel to route them to
the
> > appropriate jailed server?
>
> In case of all jails on one IP address this problem goes away, too.  You
> could define a generic domain name for the SSL stuff, for instance
> 'secure.domain.tld', get a certificate for that and use it for web as
> well as email and other purposes.
>
>     Uwe
>
This counfuses me - doesn't the host name have to match the certificate?  Can two jails have the same host name too?

-- 
Valen Jones

> 


More information about the freebsd-security mailing list