One solution which I think hasn't been mentioned here is to have jails on RFC1918 IP addresses or loopback (127/8) and have a packet filter redirect/forward just the visible services to the internal IP addresses.
I haven't tried it myself but according to others it works. Michal Cyril Jaouich píše v st 08. 03. 2006 v 16:17 -0500: > Well well, > > I have received a lot of answers and solutions. > > Setup: > Server A hosts a jail B > Jail B is Webserver and Database server > Want I want to do: > Limit acces to the database by binding the database on the loopback address > (127.0.0.1). > > Since you can only use 1 ip in a jail and I am running a Web server it has > to > be a routed address (non RFC1918). Also, when a process inside a jail connects > to the loopback (127.0.0.1), you hit the jail's ip and not the loopback ip of > the master server (where the jail sits). > > In order to secure my database, it's best to use PF to limit exterior acces. > You can also setup another jail that will use an RFC1919 address. > > Thanks to: > Bigby Findrake > Axel Scheepers > Josh Bell > Ricardo A. Reis > Jon > > -Cyril > > > > > > > __________________________________________________________ > Lèche-vitrine ou lèche-écran ? > magasinage.yahoo.ca > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
