# Xorg setup



## zader (Dec 9, 2016)

Hi all,

Just wanted to ask about Xorg on a forward facing firewall ..  I'm building a firewall with several jails and want to put it all together under Xorg.

One issue I noticed from this https://www.bsdstore.ru/en/xorg_in_jail.html is

"7) In the settings jail solve *allow_kmem* and change *devfs_ruleset* any non-existent (for example *99*). In this case, will be open all _/dev_. If you all to open inappropriately - use the information above to create your *ruleset*:"

I guess my first question is .. is this even correct? do you need to essentially gimp-a-fy the jail to get X to work?

What would be the best placement for Xorg in a multi jail environment?  On the root os? in a jail off the host? in a nested jail within the rest of the jails? etc act.

Thanks


----------



## tingo (Dec 9, 2016)

Eh... you should ask yourself if you really, really want want to run all that on your firewall.
Why? because your firewall is the security wall that is supposed to keep the bad people away from your valuables. It is usually the first line of defense too, which means it will be most exposed to attacks.

My take:
keep your firewall separate from other services (like web servers, virtual desktops, file servers and so on) - on a machine on it's own. Do not enlarge the possible attack surface by installing additional services / functions. Follow "bastion host" principles and harden the server properly.

Don't even get me started about the security nightmare you create if you insist on installing Xorg on your firewall.


----------



## zader (Dec 9, 2016)

let me rephrase ..

this is my internal firewall .. I still have an upstream openbsd box that is connected to the internet.

this box runs several jails and the only live connection it gets from the internet is into a vpn jail that is used to connect to jailed services.The Xorg portion will essentially only have access to the reporting data that is synced between the other jails. 

but yes, I would beat myself to death with a spoon before putting org on a public router 

Thanks for the reply


----------

