Hi:
I'm planning to move services to run in jails. Two jails:
1: Mail related: postfix, cyrus imap and openldap
2: Web related: apache and postgresql
No service should be able to connect out of the jail to remote hosts,
except for postfix that need to connect out to port 25 for delivery to
other domains.
I don't want to allow a ssh out of a jail to the local node, as that
could allow a compromised jail to jump to the host server - even if only
theoretically.
Both jails need to access the named that runs chrooted on the host
server but may not access remote DNS services.
Otherwise than this there is, any connection to remote nodes or the host
server on the loopback interface must be blocked.
I don't have extra IPs to create jails with separate interfaces, but
there is no conflicting port assignments so this shouldn't be a problem.
I have considered to isolate the jails by only offering a loopback
interface and let the firewall impose these policies, but is this at all
possible?
How would you go about implementing the above policies?
Thanks, Erik
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
