On Sat, 6 May 2006, [EMAIL PROTECTED]@mgEDV.net wrote:
Bigby Findrake
Sent: Friday, May 05, 2006 11:42 PM
On Thu, 4 May 2006, Oliver Fromme wrote:
192.168.10.1 = jail ip of the ws
127.0.0.1 = jail ip of the db
Don't use those IPs. In particular it's probably not a
good idea to use localhost as a jail IP. Use only loopback
IPs (other than localhost), like the example that I wrote
above.
I agree with Oliver here - there's a difference between using
the loopback
adapter and using the localhost (127.0.0.1) IP. I would strongly
recommend against using localhost as a jail IP unless you
have a specific
reason *to* do that - in other words, just assign an alias to
the loopback
adapter and use that alias for the jail.
One reason that comes to mind immediately in response to the unasked
question, "why not use the loopback address for a jail?" is
that using the
loopback address for a jail makes it hard to seperate (for
use by packet
filters, for instance) host machine traffic from jail machine traffic.
There are probably other good reasons for *not* using the
loopback address
for a jail as well, but I can't think of any of them.
And of course you should use appropriate packetfilter rules
to enforce
what kind of access between the jails is allowed. Only
allow what you
need.
I agree again. If you're using the jail for security, lock
it down, only
allow traffic that should be going to (and from!) the jail,
and disallow
everything else. Servers tend to accept connections, and not
initiate
them. If this is the case for your server processes, use stateful
firewall rules to enforce the direction of connections - for
instance, you
might want to allow connections to port 80 on your jail, but
you probably
wouldn't want people launching attacks *from* port 80 on your
jail once
they compromise your webserver. Assume that your jail will
get hacked,
and do all you can to prevent that jail from being a useful
staging point
for your attackers next wave of attacks.
well, with your configurations i'm really concerned about the
overlapping configurations of ip-addresses on the loopback-
adapter.
lo0 is originally configured with 127/8 and i'm not sure, if
there's not a chance to confuse something if you add ip's in
the same range (127.0.1.1/32).
There isn't. We use IP aliases on physical adapters in the same manner all the
time. eg:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet6 fe80::20e:cff:fe64:dc95%em0 prefixlen 64 scopeid 0x1
inet 10.0.2.3 netmask 0xffffff00 broadcast 10.0.2.255
inet 10.0.2.1 netmask 0xffffffff broadcast 10.0.2.1
No problem whatsoever.
as far as i read on other posts
about overlapping ip's it's not recommended (at least by some
guys).
I can't think of any reason not to.
what about configuring something like:
ifconfig lo1 plumb
ifconfig lo1 10.10.10.1 netmask 255.255.255.252 up
... and so on for futher jails?
There's no reason to keep the jail on the loopback adapter in the 127/8 range.
Set its IP as you would any other. An RFC1918 address seems perfect, and
that's what I used.
/-------------------------------------------------------------------------/
"I dread success. To have succeeded is to have finished one's business
on earth, like the male spider, who is killed by the female the moment
he has succeeded in his courtship. I like a state of continual
becoming, with a goal in front and not behind."
-- George Bernard Shaw
finger://[EMAIL PROTECTED]
http://www.ephemeron.org/~bigby/
irc://irc.ephemeron.org/#the_pub
news://news.ephemeron.org/alt.lemurs
/-------------------------------------------------------------------------/
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
