DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th July 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Default Getting around Jail IP Adresses

So I've got an odd situation here. I work in a Marketing office at a good sized university. I want to set up a FreeBSD 7.0 host system with multiple Apache/PHP Jails for each of our websites (13 and counting). The problem I'm running into is the unique IP requirement for each Jail.

Our current setup is an xserve running Apache name-based virtual hosts. The University's network services department assigns our server a static IP and points whatever domains at it that we want.

I'm trying to avoid asking network services to give us 13 static IP's, because I don't want to use up more than our share of local IPv4 addresses (and the less I have to deal with them the better).

I was thinking I could set up a PF box that forwards packets to a small private network where the Jail system sits and I can define whatever IP's I want. But the question is then, how do I set up the PF box to forward the right packets to the right Jail/IP? Is there an easier solution I'm missing?

I've been searching all over for a good solution and I haven't found one. I appreciate any help you can give me (even if it's "jails aren't the solution here").
Reply With Quote
  #2   (View Single Post)  
Old 29th July 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Default

Quick Question:

"I can define whatever IP's I want". Are you referring to only allowing certain IP's access to Apache/websites?
Reply With Quote
  #3   (View Single Post)  
Old 29th July 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Default

Quote:
Originally Posted by hunteronline View Post
Quick Question:

"I can define whatever IP's I want". Are you referring to only allowing certain IP's access to Apache/websites?
No, I want all these websites to be open and available over the web. Sorry if I'm not explaining it very well. We want to separate the sites so that if one gets compromised they all don't.

What I was referring to when I said "I can define whatever IP's I want" I meant we could then define private IP's, like 192.168.0.*** for each of the jails. Then we would only (hopefully) need one static IP from network services, which would point to a PF box that could redirect traffic to the appropriate jail/IP.

I'm messing around with some things right now to test, I'll let you know if I figure anything out.
Reply With Quote
  #4   (View Single Post)  
Old 30th July 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Simple answer: you can't do what you want, the way you want. You can hide multiple private IPs behind one public IP, but only for outgoing connections. You can't do it in the reverse like you want to.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #5   (View Single Post)  
Old 30th July 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Default

Quote:
Originally Posted by phoenix View Post
Simple answer: you can't do what you want, the way you want. You can hide multiple private IPs behind one public IP, but only for outgoing connections. You can't do it in the reverse like you want to.
*Sigh, I figured that would be the answer, but I wanted to make sure. Thanks Phoenix! I'll try and figure something else out.
Reply With Quote
  #6   (View Single Post)  
Old 1st August 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Default

So I think I found a way to do what we want. We're going to try setting up a reverse proxy with Squid that acts as a gateway to the private LAN where our Jail servers reside. I haven't gotten it working yet, but if it works I'll definitely let you know.
Reply With Quote
  #7   (View Single Post)  
Old 1st August 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

You may want to check out Varnish if you are going the reverse-proxy route. From their FAQ:
Quote:
Why bother with Varnish - why not use Squid?

Varnish was written from the ground up to be a high performance caching reverse proxy. Squid is a forward proxy that can be configured as a reverse proxy. Besides - Squid is rather old and designed like computer programs were supposed to be designed in 1980. Please see ArchitectNotes for details.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #8   (View Single Post)  
Old 3rd August 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Default

Quote:
Originally Posted by phoenix View Post
You may want to check out Varnish if you are going the reverse-proxy route. From their FAQ:
Thanks phoenix I'll have to look into that.
Reply With Quote
  #9   (View Single Post)  
Old 9th August 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Default

So we ended up using the Pound reverse proxy:

http://www.apsis.ch/pound/

It's working great too with our ezjails

This has been such a crazy couple weeks, I'm hoping to write up a blog post on everything I had to do to set this up. I'll post again here if I ever get the time to do that.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Set time in Jail tanked FreeBSD General 5 22nd August 2008 01:51 PM
Internet access within jail Weaseal FreeBSD General 5 26th June 2008 02:45 PM
no internet connection inside jail...? bgobs FreeBSD General 11 17th June 2008 04:36 PM
Apache 2 + php5 + mod_fcgid (in jail) trilog FreeBSD Ports and Packages 0 12th June 2008 05:47 PM
Network not working in my jail. krreagan FreeBSD Security 7 5th May 2008 11:43 PM


All times are GMT. The time now is 05:53 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick