# Design issue: gateway for service jails



## uisge (Oct 17, 2011)

Hi --

I do have a couple of service jails with rfc1918 addresses (e.g. 10.0.0.1) running on a host with a static IP (e.g. 1.2.3.4). Everything is working as expected.

Current setup is as follows:

```
IfExternal/1.2.3.4,10.0.0.1 (host) <-- rdr+nat --> IfExternal/10.0.0.1 (jail)
```
Recently I was trying to add IPv6 addresses (e.g. a:b:c:d::1) like:

```
IfExternal/1.2.3.4,a:b:c:d::1,10.0.0.1 (host) <-- rdr(+nat) --> IfExternal/a:b:c:d::1,10.0.0.1 (jail)
```
I didn't use NAT for IPv6 because I believe that isn't supported, yet. That's the reason why I used the static IPv6 address in my jail. That works as well.

I do have to admit that I am not an expert when it comes to security, thus, I do not know, if binding that externally known IPv6 address a:b:c:d::1 to my jail has to be considered a security risk. Thus I tried to use link local rfc3879 addresses (e.g. feef::1) bound to the local interface (lo0), and modified my setup as follows: 

```
IfExternal/1.2.3.4,a:b:c:d::1,10.0.0.1 (host) <-- rdr(+nat) --> IfLocal/feef::1,10.0.0.1
```
This works regarding IPv4 address space, but fails with IPv6, presumely because I didn't have NAT between feef::1 and a:b:c:d::1.

Before investigating that further, I would like to know if using IP addresses bound to an external interface (IfExternal) in a jail has to be considered a security risk at all? I am absolutely uncertain and would like to gain input from you experts.

Thanks.


----------



## SirDice (Oct 17, 2011)

uisge said:
			
		

> Before investigating that further, I would like to know if using IP addresses bound to an external interface (IfExternal) in a jail has to be considered a security risk at all?


Why do you think it's a security risk?


----------



## uisge (Oct 17, 2011)

SirDice said:
			
		

> Why do you think it's a security risk?



As I said: I am not a security expert at all. I was thinking that whenever someone might gain access to my jail, one might then have "extra" options to gain access to the host, thus escaping the jail. But I do have to admit that is merely a gut feeling of mine ...

May I take your question as an answer: no additional security risk?


----------



## SirDice (Oct 17, 2011)

If you would have forwarded for example port 80 your attacker would also gain access in a similar fashion. He'd end up on the same jail having the same options.


----------



## gkontos (Oct 17, 2011)

uisge said:
			
		

> Before investigating that further, I would like to know if using IP addresses bound to an external interface (IfExternal) in a jail has to be considered a security risk at all? I am absolutely uncertain and would like to gain input from you experts.
> 
> Thanks.


It really depends on what level of segregation you want to achieve.
For example, if you want to create a jail for a database server completely isolated, then you could bind it to a different NIC. That way a firewall rule could only allow incoming traffic to port 3306 from an application server.
In this scenario however, NAT should not be used since it would destroy the whole purpose of isolation thus security.


----------

