Seperating Webserver Jail from the Network

[madtulip]

Thanks for reading :).
noobs configuring electronics part 14.:

I got a "webserver" jail running with a FAMP stack and id like to separate it from my LAN in case somebody breaks in. Even more so since i read that the main system on the jails is not updated as FreeNASs OS is updated. So i thought i could use the 2nd NIC "igb1" of my very close to FreeNAS mini box and plug it into a port of a vlan2 while i keep the rest of my home network on vlan1. I would then want to use igb1 only for the "webserver" jail. Im not sure if the way i plan to implement this is the right one so i thought id ask before diving into it.

There is the router 192.168.0.1 and it can not have multiple IP adresses. So i can not setup the 2nd NIC using the GUI to be on a different network like 192.168.1.XXX as that woud not be on the same network as the router. I connect that to switch port fa0/1 which is in trunking mode for vlan 1-2.

I connect igb0 (home network and FreeNAS) to switch port fa0/2 which in in vlan1.
I connect igb1 (Servers 2nd NIC for "webserver" jail) to switch port fa0/3 which in in vlan2.

from ifconfig on the FreeNAS i got that there is currently.:

Code:

% NIC for home LAN
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
  ether XX:XX:XX:XX:XX:X
  inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
  nd6 options=9<PERFORMNUD,IFDISABLED>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active

% NIC for webserver
igb1: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>
  ether YY:YY:YY:YY:YY:YY
  nd6 options=9<PERFORMNUD,IFDISABLED>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active

% Bridge between igb0 and all epairs of all jails
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  ether ZZ:ZZ:ZZ:ZZ:ZZ:ZZ
  nd6 options=1<PERFORMNUD>
  id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
  maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
  root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
  member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  ifmaxaddr 0 port 8 priority 128 path cost 2000
  member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  ifmaxaddr 0 port 7 priority 128 path cost 2000
  member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  ifmaxaddr 0 port 1 priority 128 path cost 20000

% epairs to jails
% epair0a connects to some intranet jail like a media player
epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=8<VLAN_MTU>
  ether AA:AA:AA:AA:AA:AA
  nd6 options=1<PERFORMNUD>
  media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
  status: active

% epair1a connects to "webserver" jail
epair1a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=8<VLAN_MTU>
  ether BB:BB:BB:BB:BB:BB
  nd6 options=1<PERFORMNUD>
  media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
  status: active

So the idea is to create bridge1 connecting igb1 and epair1a and to remove epair1a from bridge0 so it would look like this.:

Code:

bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  ether ZZ:ZZ:ZZ:ZZ:ZZ:ZZ
  nd6 options=1<PERFORMNUD>
  id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
  maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
  root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
  member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  ifmaxaddr 0 port 8 priority 128 path cost 2000
  member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  ifmaxaddr 0 port 1 priority 128 path cost 20000

bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  ether WW:WW:WW:WW:WW:WW
  nd6 options=1<PERFORMNUD>
  id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
  maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
  root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
  member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  ifmaxaddr 0 port 8 priority 128 path cost 2000
  member: igb1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  ifmaxaddr 0 port 1 priority 128 path cost 20000

I would not assign an IP adress to igb1 (as above) as thats on the vlan2 and the main FreeNAS system which i do not want to expose.

Is that a possible configuration or am i doing something categorically wrong? Is it possible to not assign an IP to igb1 so that FreeNAS is not accessible from vlan2? Is that sufficient to exclude someone with root access on "webserver" from vlan1?

I exspected bridge0 to be created in /etc/rc.conf but found that FreeNAS seams to initialize the interfaces from /etc/rc.conf.local using the _interface_config() function by importing the settings for the network adapters from somewhere (probably the whole GUI thing). I probably dont want to mess with that file so i would execute a script after /etc/rc.conf.local loads in order to disconnect epair1a from bridge0, create bridge1 and attach epair1 to bridge1?

Im sorry if the questions seem noobish. Its garage level fidding around with stuff and Id just like to get some feedback before i even start tempering with the root FreeNAS system. Thanks!

 

[madtulip]

found that the router has a "guest" network on 192.168.200.1 available over one of its LAN ports. i might use that on vlan2 while setting the webserver jails IP to 192.168.200.2. still not sure if i can just not configure the IP of the igb1 adapter for FreeNAS as i dont want that system on the exposed vlan. ill report if thats an option once i triied that.

 

[DrKK]

This level of security paranoia is not sensible. I think you should abort mission.

 

[SmallGuy]

This level of security paranoia is not sensible. I think you should abort mission.

+1
Very good work around

 

[madtulip]

Yes, it is not "essential" :). Most things in this forum are overkill for home useage. I just like configuring i guess. Just recabled the physical layer ...

 

[trumee]

This is similar to what i was trying to do. Stuck as well.

 

[gladandong]

I was trying to achieve the exact same goal, and finally come up with the following solution:

1. Goto the Jails root directory. Create a file named `iface` with the desired interface name as the content for each jail.

[root@gorilla] /mnt/archive/jails# ll .*.meta/iface
-rw-r--r-- 1 root wheel 6 Aug 17 18:56 .btsync.meta/iface
-rw-r--r-- 1 root wheel 6 Aug 17 18:56 .owncloud.meta/iface
-rw-r--r-- 1 root wheel 6 Aug 18 11:58 .plexmediaserver.meta/iface
-rw-r--r-- 1 root wheel 6 Aug 17 18:56 .squid.meta/iface
-rw-r--r-- 1 root wheel 6 Aug 17 18:56 .transmission.meta/iface

[root@gorilla] /mnt/archive/jails# cat .*.meta/iface
vlan1
vlan1
vlan0
vlan1
vlan1

2. For each jail not in the same network as the default route of FreeNAS server, create a file named `defaultrouter-ipv4` with the ip address of the default gateway as the content.

[root@gorilla] /mnt/archive/jails# ll .*.meta/defaultrouter-ipv4
-rw-r--r-- 1 root wheel 9 Aug 18 12:23 .plexmediaserver.meta/defaultrouter-ipv4

[root@gorilla] /mnt/archive/jails# cat .*.meta/defaultrouter-ipv4
10.1.1.1

3. Reboot the server or `warden stop/start` the jails manually. you will see additional bridges created automatically with proper interfaced added as member.

[root@gorilla] /mnt/archive/jails# ifconfig
...
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:60:9b:32:3b:00
nd6 options=1<PERFORMNUD>
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair4a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 18 priority 128 path cost 2000
member: epair3a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 17 priority 128 path cost 2000
member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 14 priority 128 path cost 2000
member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 13 priority 128 path cost 2000
member: vlan1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 9 priority 128 path cost 20000
...
bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:60:9b:32:3b:01
nd6 options=1<PERFORMNUD>
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 16 priority 128 path cost 2000
member: vlan0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 11 priority 128 path cost 20000

The logic of the bridge handling is located in `/usr/local/share/warden/scripts/backend/startjail.sh`. It looks to be complete enough to me, after the change all my jails still work as expected(at least for now). No idea why it is disabled in the Web interface.

Frank

 

[trumee]

Thanks. This worked for me as well.

Assumption: Multiple vlans have been assigned already in Network>VLANS (vl100,vlan300). Main host is using vlan100 and the second vlan300 needs to be given to a jail.
Steps to achieve this:

1. Create a Jail with options : IPV4 DHCP checked. VIMAGE checked. NIC will come up as disabled.
2. In the jails meta directory .jail/meta. Create a file called 'iface' and put vlan200 in it.
3. In the same directory create a file 'defaultrouter-ipv4' and put the secondary gateway. I had 192.168.2.1
4. Inside the jail the dns may need to be specified in /etc/resolv.conf

I also had to specify vlan300 up in the Network interfaces.
Now the jail will be on a separate network than the host.