Which jails networking architecture?

[lalebarde]

Hi all,

I am not a security expert, but I have to set up some servers with web services and specific applications that would be open to the web with the help of ZeroMQ via an SSH tunnel, with a double stack IPv4/IPv6, or possibly only IPv6.

WEB -------------- FreeBSD -------------- Jail_server
                   Host        |--------- Jail_www_framework
                               |--------- Jail_www_database
                               |--------- Jail_smtp
                               |--------- Jail_application

The Jail_application is security critical and would serve only a white list from the web.

Questions :

1. Is it mandatory to be dual stack IPv4/IPv6? Can I be IPv6 only or would it prevent some customers to use my services?
2. Shall I use a virtual interface to isolate the jails from the web with the use of NAT? Or is it equivalent to have the host and the jails on the same IPv6 subnet, thanks to appropriate pf rules?
3. Should I put Jail_application on another host or is it alright thanks to appropriate pf rules?
4. What else should I consider?

Good and recent links are welcome.

 

[SirDice]

1. It's not mandatory but keep in mind a lot of ISPs still do not support IPv6 so their customers only have IPv4 access.
2. If you only have one IPv4 address it might be a good idea to isolate. It does add another layer of complexity to an already complex configuration.
3. that depends on how security critical it is. If it's that critical putting it on a separate box will be a good idea. You can harden the box a little extra without interfering with the other applications.

 

[lalebarde]

Thank you very much @SirDice. I have some additional questions or confirmation requests please.

My ISP offers a double stack ipv4/ipv6. As far as I have understood, I shall keep exposing ipv4 for my futur customers that do not have ipv6.

As far as I could read, VIMAGE for vnet is not mature enough, at least it shall be used with IPFW and not pf, but it is a post from june 2012, which may not be up-to-date. Do you have the latest status on this? With some nice links?

It may be important for me since ZeroMQ needs a local loopback for local IPC. But stability in production is my main concern, anyway.

Otherwise, I will keep it basic with proven architectures. The problem is to find an up-to-date tutorial for the networking/bsd/jails newbbie I am. Today, I have to pick here and there and there. Most tutorials assume two interfaces, one for the WEB, the other for the LAN. May I assume I can substitute the internal interface with a virtual bridge?

What is the recommanded way to build the virtual bridge for use with jails? An old post says cloned_interfaces for jails is not right.

I shall say I am a bit lost.

 

[fbsd1]

As of 9.1 VNET/VIMAGE is still highly experimental and unreliable. Based on your security requirements you should stick with non-VNET jails. For best public access stay with IPv4 and leave IPv6 to some future date when it becomes more common. Don't make your network more complicated than it has to be.