Public IP to jails and local to the jail host?

[zennybsd]

Is it ideal and secure to assign a public IP address to one of the jails which serves as a PF firewall and router while assigning a local IP address to the host? I am thinking of a topology as in the attached diagram where the physical server will be on a CF card with / in read-only mode, and the rest of the jails will be mounted on a zfs pool.

Any inputs (including about the proposed topology) from the FreeBSD/NanoBSD experts are welcome and appreciated! Thanks!

PS: I understand that it seems like a single point of failure, but that would be addressed using a HA system in a different system as well as in a different location.

 

[SirDice]

Is it ideal and secure to assign a public IP address to one of the jails which serves as a PF firewall and router while assigning a local IP address to the host?

That's not how I would do it. It's not even possible to run PF in a normal jail anyway. You would have to use VIMAGE jail which works but is still being worked on. So there's not a lot of experience with a setup like that.

I am thinking of a topology as in the attached diagram where the physical server will be on a CF card with / in read-only mode, and the rest of the jails will be mounted on a zfs pool.

That's still possible except you use the host as the firewall/router and have RFC1918 addresses on your jails which run the various services you need. You can even bind the host and the jails to different interface cards if you want. Jails can also be bound to a clone of lo0 making them even more 'local-only'.

 

[francisloco]

Hello, you can clone the loopback interface, then use static nat to port with PF.

 

[gkontos]

You can even bind the host and the jails to different interface cards if you want. Jails can also be bound to a clone of lo0 making them even more 'local-only'.

I think that those are the only options for providing real isolation. Binding jails to different nics suggestion sounds the best one for achieving zone segregation.