Solved Best Jail management tool (new private IP address is needed?)

[rafael_grether]

Hello all,

I have a FreeBSD 13 on AWS EC2.
I will install the Matrix homeserver (synapse), but for security reasons, I will do it in a Jail.
And I plan to have another Jail for other service as well (like IRC Server).

What is the best Jail Management Tool in your opinion? Iocage?

The second question is, do I need to have another Private IP address to assign to a Jail?
Or can I have Jail(s) without IP address assigned and only redirect port from my host to a Jail? What is best and recommended way?

Thanks

 

[Holger]

You can attach your jails to a loopback device and then use pf to NAT them to your physical network. This way you do not need to explicitly assign static IP addresses on your physical network. pf will also do the port forwarding for you.

 

[Alain De Vos]

I like to keep things simple in /etc/jail.conf i have :

persist;
ip4 = inherit;
ip6 = inherit;

So ip in the jail is just like the host.

 

[rafael_grether]

Alain De Vos, thanks. Do you use some Jail Management Tool? (like iocage, Bastille, ezjail). Or is it not necessary for you?

 

[Alain De Vos]

No , I only use a small /etc/jail.conf.
Jail management tools are usefull when you use alot of jails.

 

[sko]

I use sysutils/iocell and the loopback-approach as described by Holger for hosts with a single public IP.
This way you can just specify the jails with their loopback-IPs in /etc/pf.conf and rdr to the jails (maybe with additional filters or port translation).

e.g. from one of my mailservers:

[...]
dovecot_v4 = "127.1.0.2"
dovecot_v6 = "::1.0.2"
postfix_v4 = "127.1.0.3"
postfix_v6 = "::1.0.3"
nginx_v4 = "127.1.0.5"
nginx_v6 = "::1.0.5"
[...]
# rdr all whitelisted smtp/s connections to postfix
rdr log (to pflog1)     on $ext_if      inet    proto tcp   from <spamd-white>          to port { smtp, smtps } -> $postfix_v4
rdr log (to pflog1)     on $ext_if      inet    proto tcp   from <nospamd>              to port { smtp, smtps } -> $postfix_v4
# rdr all new smtp connections to spamd; spamd currently only works with ipv4!
rdr         on $ext_if      proto tcp   from any    to port { smtp, smtps } -> 127.0.0.1 port spamd
# spamd only works with ipv4 for now, so we have to rdr all ipv6 mail traffic directly to postfix
rdr log (to pflog1)     on $ext_if      inet6   proto tcp                               to port { smtp, smtps } -> $postfix_v6
# rdr all non-blacklisted submission connections to postfix
rdr         on $ext_if      inet        proto tcp           from !<badhosts>            to port submission -> $postfix_v4
rdr         on $ext_if      inet6       proto tcp           from !<badhosts>            to port submission -> $postfix_v6
# rdr all non-blacklisted imap/s connections to dovecot
rdr         on $ext_if      inet        proto tcp           from !<badhosts>            to port { imap, imaps, sieve } -> $dovecot_v4
rdr         on $ext_if      inet6       proto tcp           from !<badhosts>            to port { imap, imaps, sieve } -> $dovecot_v6
# nginx; relays to all web interfaces in other jails
rdr         on $ext_if      inet        proto tcp           from !<badhosts>            to port https ->  $nginx_v4
rdr         on $ext_if      inet6       proto tcp           from !<badhosts>            to port https ->  $nginx_v6
[...]

(the weird mixed notation of v6 addresses is default on FreeBSD and I haven't found a way to change this representation; so I just went with it in pf and other configs...)

For upgrades that might take longer and/or might go wrong, I just clone the jail with a new IP (and if necessary update the configs accordingly), perform all upgrades and if everything went smooth, I just change the IPs in pf.conf so all new connections go to the updated jail.

I'd also recommend running a caching resolver (unbound) for the jails, otherwise your host might hit rate-limits on the nameserver you might be provided with by the hoster (been there once during a huge spam wave...). Plus you can set records for jails and simplify connections between jails - i.e. you can specify the hostname of the database-jail instead of an IP, which simplifies updates/changes.


Hint: all of this also works with vnet jails connected to a local bridge (not connected to any physical/external interface). I began using jails and iocage (which became iocell) when vnet was still in beta and occasionally crashed the host on teardown, so I just stayed with the loopback-approach out of habit and lazyness to change all the existing hosts. Although I also have some vnet jails running by now - it's just still not my standard approach.