Re: Can a home LAN server use a jail as a router?
On 12/06/10 12:29, Xn Nooby wrote: Hello. Is it possible to use FreeBSD to create three "jails" on one box, so that one jail can be a router to the internet, and the other two can be webservers? I wanted to create an environment where if one webserver got compromised, the other webserver would be unaffected. I have old hardware, so I do not have hardware VT in the chip. I thought I previously read that a jail could only have 1 NIC, but I have not been able to confirm that. That would spoil my router plan, if true. I'm more familiar with Linux than FreeBSD, but Linux seems to be moving from Xen towards KVM (which requires VT). I could use Xen, probably on Debian if I did. Xen seems to require a specially built Linux kernel on Debian, and I'm not sure I like that. I'd also like to set up a personal samba file-server, but I'm deathly afraid the machine would get hacked while wired to the net. So I would also like to make a jail to be a samba server. All these jails are predicated on one of them being able to act as a router between the internet and my home LAN. I want some "jails" to talk the internet (via the router jail), and some "jails" to only be available in my house. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" You can have more than one IP, but the actual config of specific NICs is done by the host. As for being a router I don't know- I'm not sure you can access the sysctl needed, or whether the sysctl will affect the host (and therefore other services and jails). And thirdly I'm not sure of the validity of it. Jail your services and run a firewall (pf?) on the host. That will control who can get to what, and allow you to 'route' your network the way you want to. I'm sure someone else could point out any security flaws in this scenario, but it should do what you want and be relatively secure. I'd be reading up on Jails and understanding exactly what they are and what they are not too. They aren't actual 'emulators' per se, they are more a locked up chroot system. Make sure that is exactly what you want/need. HTH ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Can a home LAN server use a jail as a router?
On 12/05/2010 10:53 PM, Da Rock wrote: Is it possible to use FreeBSD to create three "jails" on one box, so that one jail can be a router to the internet, and the other two can be webservers? What you seem to need is to run the host as a router, and create two or three more jails on top of that router kernel. The default should be a router and the secondary functions should be the jail. I think you just need to read a bit more on how jails are used on the BSD platform and it will be clear to you. I wanted to create an environment where if one webserver got compromised, the other webserver would be unaffected. This would be the true use of jails in your environment. You want to isolate web services such as Apache installs into jails so if they get compromised then you don't have to worry about the rest of the system becoming completely compromised. So I would also like to make a jail to be a samba server. I believe that you can install samba inside a jailed environment as well, however, I have never done this, so I am not familiar with how it will be done, however, I have a Bind-9 environment where the external internet interface serves the internet my public information, and there is a second jail which hosts dns for the internal segment. So I can see how Samba can be installed in a jail, and it would make appropriate sense to do so. I hope this helps you in your investigation(s). -- Respectfully, Martes G Wigglesworth M. G. Wigglesworth Holdings, LLC www.mgwigglesworth.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Can a home LAN server use a jail as a router?
> I hope this helps you in your investigation(s). Yes, thank you and the previous poster. It sounds like my "outer" box needs to be the router, and everything else should be a jail. I will do some more reading up on jails. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Can a home LAN server use a jail as a router?
On 12/7/2010 8:15 PM, Xn Nooby wrote: I hope this helps you in your investigation(s). Yes, thank you and the previous poster. It sounds like my "outer" box needs to be the router, and everything else should be a jail. I will do some more reading up on jails. Thanks! You can create infinitely complex network topologies, using vnet jails. Check the URLs below to get the picture: http://imunes.tel.fer.hr/virtnet/eurobsdcon07_tutorial.pdf http://wiki.freebsd.org/Image/VNETSamples Just my 2 cents, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Can a home LAN server use a jail as a router?
Be sure to check out the ezjail port in /usr/ports/sysutils/ezjail -- it makes deploying and updating multiple jails really fast; exponentially faster than building a jail as per jail(8). http://erdgeist.org/arts/software/ezjail/ Patrick On Tue, Dec 7, 2010 at 10:15 AM, Xn Nooby wrote: >> I hope this helps you in your investigation(s). > > Yes, thank you and the previous poster. It sounds like my "outer" box > needs to be the router, and everything else should be a jail. I will > do some more reading up on jails. Thanks! > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
