TFTPD jail accessible as tftpd only from one i/f?

[n3mmr]

I have a need to connect a FreeNAS box jail for one single purpose on one single ethernet interface.

I want to use this jail as a repository for diagnostic files, logs and firmware updates to switches placed outside my private router, while the rest of this FreeNAS box is my media server, placed inside my private NAT router.

So this jail must be accessible via tftp from the network 10.0.0.0/16, which is outside and feeding my private network (a 192.168.1.0 network) via my private router.

I have the 10.0. network available on a switch in the same room as my FreeNAS.

What would you suggest as a simple and secure starting point??

 

[dlavigne]

Were you able to figure this out?

 

[n3mmr]

Finally got part of the way.

I now have a jail named TFTPd, with igb0 attached and with a fixed address for that in 10.0.0.0/16.
I deleted the igb0 i/f in the FreeNAS web gui before any of this. To prevent accidentally enabling it for other uses.

I have storage attached, storage that can also be accessed from the main part of the FreeNAS box.

I have sshd and, I believe, tftpd running. I started the sshd and inetd services inside the jail, after uncommenting the existing tftp line in inetd.conf. I will have to add -u and a few other options to the tftpd command line and chown/chgrp to adapt to the network administrator user names expected by the switches.

I will also want to enable syslog to store switch syslogs, and reasonably secure file copying facilities suited to the needs of windows users.


Why didn't I just do it right from the start? The main reason for that was that the automatics and magic behind the management web gui got me confused.

 

[n3mmr]

I have verified that it works.

What are the security issues with a jail like this??