Re: SUMMARY: Jails and loopback interfaces
One solution which I think hasn't been mentioned here is to have jails
on RFC1918 IP addresses or loopback (127/8) and have a packet filter
redirect/forward just the visible services to the internal IP addresses.
I haven't tried it myself but according to others it works.
Michal
Cyril Jaouich p磻e v st 08. 03. 2006 v 16:17 -0500:
> Well well,
>
> I have received a lot of answers and solutions.
>
> Setup:
> Server A hosts a jail B
> Jail B is Webserver and Database server
> Want I want to do:
> Limit acces to the database by binding the database on the loopback address
> (127.0.0.1).
>
> Since you can only use 1 ip in a jail and I am running a Web server it has to
> be a routed address (non RFC1918). Also, when a process inside a jail connects
> to the loopback (127.0.0.1), you hit the jail's ip and not the loopback ip of
> the master server (where the jail sits).
>
> In order to secure my database, it's best to use PF to limit exterior acces.
> You can also setup another jail that will use an RFC1919 address.
>
> Thanks to:
> Bigby Findrake
> Axel Scheepers
> Josh Bell
> Ricardo A. Reis
> Jon
>
> -Cyril
>
>
>
>
>
>
> __________________________________________________________
> L鋃he-vitrine ou l鋃he-嶰ran ?
> magasinage.yahoo.ca
>
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)