Re: A few jail questions

Sun, 23 Mar 2008 00:24:25 -0700 

David Allen wrote:

I've recently been examining the use of jails in FreeBSD, and I have some
questions I hope someone can shed some light on with respect to running
virtual servers in jails.

1. Upgrading.  This probably a "It Depends" question, but if a host system
is upgraded (within version numbers), will the new kernel and world on the
host system cause potential problems with existing jails when they are
restarted?  Or do the jails need to be rebuilt before they are started?


In general, no.  It is quite possible to host a jail running effectively a
different version of FreeBSD than the base machine -- a technique that is used
extensively in the ports build cluster.  The emulation is not perfect, and
of course the kernel that is used is the one from the base system, but it's
fine for most purposes.

If it's just a case of slight lag between updating the base system and the
jails, then I wouldn't worry about it.


2. Localhost.  Jails seem to be implemented using IP address aliasing, so
anything within the jail that wants to, or is configured to, bind to the
localhost address, now gets bound to the jail's IP address.  This means
that what was once local, is now publically available.  Will running a
firewall on the host system work in such cases?


Yes, a firewall is a good idea.  One very effective method to secure a jail
is to create the jail bound to the *loopback* interface of the main host, and
then use firewall redirect rules to send the wanted traffic to the jail's IP. eg. using pf: 

jail_int = "127.0.0.2"
jail_ext = "12.34.56.78"

[...]

nat on $ext_if proto { tcp udp }              \
    from $jail_int                           \
    to !$jail_int -> $jail_ext static-port
rdr on $ext_if proto tcp                      \
    from any                                 \
    to $jail_ext port { 22 80 } -> $jail_int
rdr on $ext_if proto udp                      \
    from any                                 \
    to $jail_ext port 53 -> $jail_int

So in this case on tcp traffic to ports 22 nd 80 or udp traffic to port 53
is redirected into the jail.

Variations on this technique are about the only way to effectively give a
jail more than one IP.


3. Sendmail.  The usual approach of setting "sendmail_enable=NO" (or using
DAEMON_OPTIONS) won't prevent sendmail running in a jail from starting up
and listening for incoming mail from external hosts.  Short of disabling
sendmail entirely, I'm wondering what approach most people use as a
workaround.


Fixed by the bind-jail-to-loopback trick above.

        Cheers,

        Matthew

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                 Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to