network setup for Jails on VPS with single public IPv4?

[Andy22]

Hi,

i have FreeNAS 9.2.1 running fine so far on a remote VPS, now i did run into the problem that the "Jails" subsystem assumes there are free ipv4 adresses it can use and assign to the VM subjail's?

In a typical cheap VPS configuration u only get 1 public static IPv4 address and thats it, so how need i configure the jails system, so they also have net access and reuse the VPS main address? I guess i need some form of routing+NAT?

Maybe there is a way to let jails run in the network context of the FreeNAS host, without needing its own IP adress?

thx
Andy

 

[dlavigne]

Why not use a private IP range for the jails? Even if the jails need to be publicly accessible, the FreeNAS system should be protected by a properly configured firewall.

 

[Andy22]

Why not use a private IP range for the jails? Even if the jails need to be publicly accessible, the FreeNAS system should be protected by a properly configured firewall.

If i use a private range, how can i reach the Jail from outside?

bye
Andy

PS: I never actually understood why u would need a firewall on a simple freeBSD NAS/VPS? I mean i have full control over every single service/port i actually have someone listening on and often only SSH/FTP is configured. So what is the firewall protecting me from?

 

[cyberjock]

If i use a private range, how can i reach the Jail from outside?

NAT(which you mentioned in your post).

PS: I never actually understood why u would need a firewall on a simple freeBSD NAS/VPS? I mean i have full control over every single service/port i actually have someone listening on and often only SSH/FTP is configured. So what is the firewall protecting me from?

It's protecting your server from the internet...

 

[Andy22]

It's protecting your server from the internet...

How is it protecting the server, if the only services running need to-be reachable from the internet anyway (SSH/FTP)? This makes no sense to me, without running additional local only services a firewall is practically useless and does nothing.

 

[cyberjock]

How is it protecting the server, if the only services running need to-be reachable from the internet anyway (SSH/FTP)? This makes no sense to me, without running additional local only services a firewall is practically useless and does nothing.

To be honest(and a little rude.. I'm sorry) if you don't understand you shouldn't be handling the security of your network.

Machines should never be put on the internet unless they are hardened to be put directly on the internet. Lots of people do it, and they get pwned almost every time. This is why if you read around we don't recommend port forwarding under any circumstances but to instead do VPN. FreeNAS was never hardened or even tested to be on the internet directly. But I can tell you that real-world testing has shown it has vulnerabilities. Often because users don't know how to properly secure their server to begin with.

There are plenty of other ports open on your server too. Do a sockstat from the CLI. Think about this.. how do you think the GUI is made available to your browser.. port 80 or 443 baby! So yeah, assuming ports aren't open because the service is disabled isn't a good assumption to make if security is even a minor concern.

 

[Andy22]

Thx for the security lecture, but this leads nowhere.

So except for NAT i cant run a Jail in the context of the host/base network system?

 

[cyberjock]

So except for NAT i cant run a Jail in the context of the host/base network system?

Nope.