I have two servers - one is my recently rebuilt my home server, and the other is a dedicated server rented from a hosting provider, which I refer to as the cloud server. This dedicated server handles several jails containing web services and other things that are reachable from the internet (primarily for my own personal use). Each jail on the cloud server has a dedicated ipv4 address. I use
Now, having finished migrating all my local stuff to my new and improved home server, I am considering decommissioning the cloud server altogether and moving all those jails to my local server. From a performance and latency perspective I have no concerns, but some reconfiguration will be required since I'll be going from individual public IPs for each jail to port forwarding my one home public IP.
Here is my preliminary plan, and I wanted to see if there are any holes in my thoughts here that I'm overlooking.
1. Currently all home server jails and the host are reached through one physical interface, igb0 (each jail is configured with its own IP on the LAN through this interface). The server has two interfaces, so for all jails that are being moved from the cloud server to local, these will be bound to the second interface, igb1.
2. I will set up a special reverse proxy jail for the purpose of serving the web services hosted in the other jails.
3. I will set up a port forward rule on my router, pointing 443 to the IP of the reverse proxy jail on igb1.
4. I will configure
With this accomplished, my end goal is to have my internet-accessible services reachable on my home server in the same way as they are on my cloud server, without being directly reachable from the LAN except through their URL or via
I believe this could be done slightly more efficiently through the use of VNETs on the internet-accessible jails by creating a little jailed LAN just between the relevant jails, but I don't have any experience with setting these up so I thought I would stick to what I know and handle it all on the normal LAN (though I might experiment a bit with this to see if it works for me and how much complexity it adds).
Come to think of it I could also just put those jails on a different subnet which shouldn't be too difficult since no special routing would be needed, as they are intended to be unreachable on the lan.
Is my plan sound? Am I opening myself up to problems (security or otherwise) that I'm not seeing? Is there anything I should be aware of that I didn't consider?
ipfw for basic firewalling functionality. There is a single subnet and no VLANs or other special network considerations on the home LAN.Now, having finished migrating all my local stuff to my new and improved home server, I am considering decommissioning the cloud server altogether and moving all those jails to my local server. From a performance and latency perspective I have no concerns, but some reconfiguration will be required since I'll be going from individual public IPs for each jail to port forwarding my one home public IP.
Here is my preliminary plan, and I wanted to see if there are any holes in my thoughts here that I'm overlooking.
1. Currently all home server jails and the host are reached through one physical interface, igb0 (each jail is configured with its own IP on the LAN through this interface). The server has two interfaces, so for all jails that are being moved from the cloud server to local, these will be bound to the second interface, igb1.
2. I will set up a special reverse proxy jail for the purpose of serving the web services hosted in the other jails.
3. I will set up a port forward rule on my router, pointing 443 to the IP of the reverse proxy jail on igb1.
4. I will configure
ipfw on the host to block all incoming and outgoing connections to the entire igb1 interface except via WAN and between the jail IPs and the reverse proxy jail.With this accomplished, my end goal is to have my internet-accessible services reachable on my home server in the same way as they are on my cloud server, without being directly reachable from the LAN except through their URL or via
jexec on the server itself, with little to no risk to my home network in the event of a jailed service being compromised (barring someone having an unknown exploit to escape a jail anyway).I believe this could be done slightly more efficiently through the use of VNETs on the internet-accessible jails by creating a little jailed LAN just between the relevant jails, but I don't have any experience with setting these up so I thought I would stick to what I know and handle it all on the normal LAN (though I might experiment a bit with this to see if it works for me and how much complexity it adds).
Come to think of it I could also just put those jails on a different subnet which shouldn't be too difficult since no special routing would be needed, as they are intended to be unreachable on the lan.
Is my plan sound? Am I opening myself up to problems (security or otherwise) that I'm not seeing? Is there anything I should be aware of that I didn't consider?
