Mixing public and private jails

M

mariachi

I'm new to networking. I've been reading jails and VNET a guide by Derik Ramirez, FreeBSD Mastery: Jails by Michael Lucas and other of his books and I'm unsure how to accomplish what I want.

I want to host a set of public services (i.e., accessible from the Internet) and private services (only accessible while on my home network or via wireguard; ideally shouldn't communicate with each other).

Derik's layout has 2 bridges (1 private and 1 public) and I think here I could do the same:

* 2 bridges
* Caddy web server jail connected to both bridges
* Wireguard jail connected to both bridges
* public and private services attached to their respective bridges
* Use PF to enforce the public/private separation and permit only my laptop's IP (fixed within the network) to connect to the private network

The PF part feels complicated, so I'm wondering if there is a more elegant of doing this? Derik also calls his design "ugly" and "weird" in the book, but I have no clue why that's the case.

Does this make sense and will it accomplish what I want, especially from a safety perspective?
 
The quick and simple answer: put your local-only services only in your LAN(s) and services that are (also) accessible from outside into a DMZ. PF on your router forwards traffic from the outside to the respective services and/or a reverse-proxy that also resides in the DMZ, and also allows (or blocks) the traffic between LAN and DMZ.
Using a DMZ is the common way of separating things that can be reached from the outside and a LAN - no idea whats "ugly" or "weird" about that...

The 'correct' answer: it always depends on your needs, network layout and the weird, non-standard behaviour of some services that you are trying to run. I.e. some won't work correctly through a reverse proxy or don't play well with NAT. Also for more and more large projects, some 'web designers' hard-code their assumptions about infrastructure (of which they have no clue...) and make it hard to properly deploy a service in a given network setup.
 
For context we're talking about my home network, using a consumer-grade router which does not allow me to create a true DMZ and has limited settings. I'm looking into getting some better hardware but for now this is what I have. Thus, I assume I can translate "public bridge" to DMZ in this scenario, while the "private bridge" is the LAN.

Would this be a case of
* All private jails use vnet and get a ip within the same subnet as the LAN e.g., 192.168.188.255/24 (is this important at all, if PF is in the mix?)
* PF only allows traffic from LAN or wireguard jail to pass on to the private jails

I'm not running anything (IMO) exotic, just regular web services which play nicely without reverse proxies, even though I'll use one. Stuff like Forgejo, Paperless, a tangled.sh node, maybe nextcloud.
 
mariachi said:
which does not allow me to create a true DMZ
Click to expand...
it only needs to support VLANs.

otherwise, with a flat network there is zero advantage in separating jails (or other hosts), or more precise: it isn't possible as everything is in the same broadcast domain anyways...
 
You must log in or register to reply here.
Back
Top