> In fact, it is a good idea to _always_ bind jails to non- > routable loopback IPs. For example:
> jail 1 (webserver) on 127.0.0.2 > jail 2 (database) on 127.0.0.3 > If a service needs to be accessible from the outside, you > can use IPFW FWD rules to forward packets destined to the > real IP to the jail's loopback IP. ok, technically i get this, but wouldn't it confuse the daemons and slow down the network connections if i use packet forwarding for each packet let's say a daemon reads from syslog-services and writes to databases? > Of course there's no problem accessing the database from > the webserver. Note that you have complete control over > who can access what, by using your favourite packet filter > (IPFW, IPF, PF). this part i definitely don't get. let's assume this one: 192.168.10.1 = jail ip of the ws 127.0.0.1 = jail ip of the db sending to 127.0.0.1 is not possible on 192.168.134.1 (kernel re-routes it to 192.168.134.1 if man jail is correct) if i setup forwarding rules i'd have to setup something for the real ip's port, no? and, i assumed that the setup mentioned can live without additional firewall rules. i for sure have some "what the hell... how-to" problem with jails, currently ;-) _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
