Jail on a DMZ and system on LAN

Status
Not open for further replies.
Jacopx

Jacopx

Patron
Joined
Feb 19, 2016
Messages
367
Buongiorno a tutti! ;)

I'm running a system from some years, i use it for Plex, Transmisson, Gogs and since few weeks for NextCloud. I have gain a external-signed SSL from Let's Encrypt and everything works great.
What i'm asking now is, since i have 3 ETH GbE port can i use one of these to link FN to my pfSense Router and putting only one of my jail in a different LAN (a DMZ) to secure more my system to the attack? I think yes... I have see a NIC options in the jail advanced settings but i haven't already tried it because i'm far from home. Is from there that i need to start?
 
Jacopx

Jacopx

Patron
Joined
Feb 19, 2016
Messages
367
M

millst

Contributor
Joined
Feb 2, 2015
Messages
141
It can be done. I have a web server and torrent client running in different jails on the DMZ. First, configure one of the unused NICs for operation on the DMZ network. Next, assign that NIC to the jail.

I'd say that a VM would provide additional security over a jail and using a separate piece of hardware would provide even more security. I'd like to eventually move towards the latter, maybe with a Pi, but I've been more focused on things like Pfblocker and snort.

-tm
 
Stux

Stux

MVP
Joined
Jun 2, 2016
Messages
4,419
And putting things in the DMZ is the opposite of securing them isn't it?

The DMZ is on the wild west side of your firewall.
 
M

millst

Contributor
Joined
Feb 2, 2015
Messages
141
anodos said:
I believe all LAN accessible to the free as host will be routable by a. compromised jail.
Click to expand...

Depends how it is configured. Looking at my setup, I now realize it wasn't as easy as using the web UI. I wrote some scripts that run during jail startup. The jails in the DMZ get placed in a different bridge that is associated with the DMZ NIC.

With VIMAGE enabled, the DMZ jails can see each other and the DMZ, but nothing else. If somebody compromises a DMZ jail, they can't get to the regular LAN or NAS (other than anything mounted). They'd have to compromise the jail system itself next.

-tm
 
Jacopx

Jacopx

Patron
Joined
Feb 19, 2016
Messages
367
millst said:
I'd say that a VM would provide additional security over a jail and using a separate piece of hardware would provide even more security. I'd like to eventually move towards the latter, maybe with a Pi, but I've been more focused on things like Pfblocker and snort.
Click to expand...

Yeah, you're right... I already have a Pi but i can't used it for NextCloud, i haven't enough space and it's used by too many people to be handled on a Rasp :/

millst said:
Depends how it is configured. Looking at my setup, I now realize it wasn't as easy as using the web UI. I wrote some scripts that run during jail startup. The jails in the DMZ get placed in a different bridge that is associated with the DMZ NIC.

With VIMAGE enabled, the DMZ jails can see each other and the DMZ, but nothing else. If somebody compromises a DMZ jail, they can't get to the regular LAN or NAS (other than anything mounted). They'd have to compromise the jail system itself next.
Click to expand...

Uhmmm this is interesting!
 
Status
Not open for further replies.

Similar threads

PetrZ
Jail network loop
Replies
4
Views
3K
Tarrant
T
J
Jail in DMZ - FreeNAS in LAN
Replies
5
Views
1K
jerhat
J
K
Problem accessing internet from JAIL over second nic and different subnet (DMZ)
Replies
1
Views
1K
Krautmaster
K
E
Cloud Server network design best practices
Replies
2
Views
2K
Hpb256632
H
N
DMZ Jail cannot communicate with LAN Jail
Replies
3
Views
683
nromyn
N
Top