SUMMARY: Jails and loopback interfaces
Michal Mertl
mime at traveller.cz
Thu Mar 9 05:13:57 PST 2006
One solution which I think hasn't been mentioned here is to have jails
on RFC1918 IP addresses or loopback (127/8) and have a packet filter
redirect/forward just the visible services to the internal IP addresses.
I haven't tried it myself but according to others it works.
Michal
Cyril Jaouich píše v st 08. 03. 2006 v 16:17 -0500:
> Well well,
>
> I have received a lot of answers and solutions.
>
> Setup:
> Server A hosts a jail B
> Jail B is Webserver and Database server
> Want I want to do:
> Limit acces to the database by binding the database on the loopback address
> (127.0.0.1).
>
> Since you can only use 1 ip in a jail and I am running a Web server it has to
> be a routed address (non RFC1918). Also, when a process inside a jail connects
> to the loopback (127.0.0.1), you hit the jail's ip and not the loopback ip of
> the master server (where the jail sits).
>
> In order to secure my database, it's best to use PF to limit exterior acces.
> You can also setup another jail that will use an RFC1919 address.
>
> Thanks to:
> Bigby Findrake
> Axel Scheepers
> Josh Bell
> Ricardo A. Reis
> Jon
>
> -Cyril
>
>
>
>
>
>
> __________________________________________________________
> Lèche-vitrine ou lèche-écran ?
> magasinage.yahoo.ca
>
More information about the freebsd-security
mailing list