Port-forwarding to jails

[glotzer]

Is it save to set up the router to forward ports to the ip of a jail on FreeNAS?
I'm thinking about hosting a game server in a jail there, but i do not want anybody who get accsess to a port on that jail to accsess any other jails or devices in the network. Is this posible without additional hardware?

Thx for the help already.

 

[cyberjock]

Not really. We don't recommend you ever forward ports on your router to any computer inside the network. It's standard networking security 101.

If you want prevent access to your network through a potentially compromised jail your only option is a VPN.

 

[glotzer]

You are totaly right about the VPN stuff, but thats not an option if i want to host something publicly avaible. Is there a no way to get this done in a save way?

Do i have to use another pc, put it behind the router and then put all my other network stuff behind a 2nd router wich is behind the first router?
Because then it is probably easier (and cheaper) to just rent a server somewhere...

 

[cyberjock]

Nope.. the solution is to do a VPN.

If you want to host something publicly available then you are on your own to handle all security for all of your machines. Hint: If you don't do this professionally, you are almost certainly going to get it wrong.

 

[glotzer]

Probably... well a root server is not too expensive. Thx a lot

 

[Benny Mac]

We don't recommend you ever forward ports on your router to any computer inside the network. It's standard networking security 101.

Hello cyberjock. I'm hoping you can elaborate on this for me please. I'm not running FreeNAS yet, but intend to be in a couple of weeks (ordered the ecc-compatible new h/w yesterday). One thing I want to do is run Apache (in a jail) along with Gallery3, PHP and a mySql server.

How can I get that working without forwarding port 80 on the router to the ip of the Apache jail? Am I taking your advice too literally, or are you saying not to open up Apache on FreeNAS to users outside the local network.

I have what I'd classify as "minimal" understanding of network security, so am really looking for your advice here. If FreeNAS is not designed for access outside of the local network then I'll probably stick with the PC-BSD system I currently run. I'd also be interested to hear what it is about FreeNAS that makes it different from PC-PSD in this regard.

 

[SmallGuy]

If you're hosting a web server, you have to create a NAT rule.
I don't understand how to use a VPN with a web server: share your authentication key?
Perhaps somebody is able to elaborate?
I don't see interest of, for example, setup Owncloud and not sharing it with your family, friends...
But, if you create a NAT rule (define incoming port, protocol, destination port and IP address), you have to manage properly all the incoming traffic (including bot requests...) for the protocol used (define on your firewall NAT rule).
[Edit] If you don't know what your are doing, don't do it.

 

[cyberjock]

VPN is the safest method for network security. This isn't a network security forum so I won't give much more advice on the topic. I'm also not a network security professional so I don't feel comfortable talking about it. It's been discussed extensively elsewhere in the forum if you want to do some reading though.