So I've never done much with jails but recently I've been wanting to dive into them more and use them as part of my standard workflow on my freebsd server. I believe what I've done is basically correct, but I thought I would make a post here to see if someone with more jail experience than me can glance over it and say if I'm overlooking something or doing something in a totally wrong and insecure way.
The server in question is a dedicated server with several publicly routable IP addresses. The network and jails portion of
* the only network-facing service on the host is
* Each jail has
* There is a
* When all work is complete, each jail will contain a different network-facing service on its own IP. A mix of webservers and other services, on whatever port it needs to use.
And that's pretty much it. With this layout, I am able to
Am I missing anything with all this? Did I overlook some critical security component here? Or is everything basically perfect?
The server in question is a dedicated server with several publicly routable IP addresses. The network and jails portion of
rc.conf
on the host is as follows (the IP addresses are placeholders here but are correct on the actual configurations):
Code:
ifconfig_igb0="x.x.x.10 netmask 255.255.255.192"
defaultrouter="x.x.x.1"
ifconfig_igb0_alias0="x.x.x.11 netmask 255.255.255.255"
ifconfig_igb0_alias1="x.x.x.12 netmask 255.255.255.255"
jail_enable="YES"
jail_list="jail1 jail2"
jail_parallel_start="YES"
jail.conf
is as follows:
Code:
mount.devfs;
exec.clean;
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
jail1 {
host.hostname="jail1";
ip4.addr="x.x.x.11";
path="/jails/jail1";
}
jail2 {
host.hostname="jail2";
ip4.addr="x.x.x.12";
path="/jails/jail2";
}
* the only network-facing service on the host is
sshd
, which I've configured with (among other things) ListenAddress x.x.x.10
* Each jail has
sshd
configured with ListenAddress
set for its particular IP, and resolv.conf
set with nameservers.* There is a
jails
ZFS volume containing a volume for each jail. e.g., pool/jails
, pool/jails/jail1
, pool/jails/jail2
, each set with an appropriate quota
property.* When all work is complete, each jail will contain a different network-facing service on its own IP. A mix of webservers and other services, on whatever port it needs to use.
And that's pretty much it. With this layout, I am able to
ssh
into the host or the jails as desired from a remote host, and once I begin building out the contents of the jail, I will just connect via jexec
and get to work from within the jail.Am I missing anything with all this? Did I overlook some critical security component here? Or is everything basically perfect?