OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: Stilez on October 20, 2019, 05:41:05 pm

Title: Tiny internet-facing service on OPNSense - run in jail, or something else?
Post by: Stilez on October 20, 2019, 05:41:05 pm
I'm planning to.install a small public-facing service on my OPNSense router (doesn't really matter the details, djbdns and a tiny static-file-only httpd, both pretty much serving static data files only, and a few queries a day). I want to run these on the router itself  because I don't need a second server or VM for such tiny things, and so I'm sure they are up and running any time the router itself is. Other threads on this forum make it look clear that adding jails should be completely workable and not in conflict with OPNSense core/plugins.     

I came across this short thread from 2017 (https://forum.opnsense.org/index.php?topic=4730.0) which gives a very clear step by step "recipe" for the exact same goal. So most of my questions have been answered.  I have only 2 crucial questions left before going ahead:   
Any tips on those 2 questions, or other useful info, much appreciated, so I go ahead safely!
Title: Re: Tiny internet-facing service on OPNSense - run in jail, or something else?
Post by: nbfedafdf on October 22, 2019, 11:13:24 am
Interesting topic. 11.0 is no longer available but apeears 11.2 is. OpenSSL old version. If I Remember Correctly, some ports won't build with that old version. SSHd includes insecure ciphers.
So, a number of things that could be or need to be fixed, but other than that, I think that recipe answers your question.
2. You give it an RFC1918 internal address and Destination NAT to that.
Title: Re: Tiny internet-facing service on OPNSense - run in jail, or something else?
Post by: Stilez on October 22, 2019, 12:47:02 pm
Interesting topic. 11.0 is no longer available but apeears 11.2 is. OpenSSL old version. If I Remember Correctly, some ports won't build with that old version. SSHd includes insecure ciphers.
So, a number of things that could be or need to be fixed, but other than that, I think that recipe answers your question.
2. You give it an RFC1918 internal address and Destination NAT to that.

My main concern is, I'm using a security-aware OS, and a security-aware router software, by a security-aware team. I'd like to not accidentally expose anything by blindly following a recipe that I didn't realise had holes in it. 

I'm fairly confident that the service I want to run, is small and "narrow" enough I won't open holes by miscknfiguring its .conf files, and I don't need ssh or ftp either (host based jexec and file access are enough). But I'm wary of following a 2 year old recipe of comparatively unknown provenance for the jail.setup, without rechecking here with people who know the platform. Is the jail *really* in fact going to be well configured if I follow that recipe? Is it "safe" against external attack against its exposed services  (for a reasonable definition of "safe')?

Also, the dns service only needs very limited ports (53 basically), and outward onky access to the WAN (for updates/upgrades). So I figure I can use port mapping instead of NAT - give it a public IP's port 53 on the host, use OPNSense to map that to some other port on the jail's IP, and lock down all other incoming ports on the public or jail IPs on OPNSense. The only issue would be if the jailed system needs loopbsck I guess?   


Last, as OPNSense uses HardenedBSD as its platform, should I install that into the jail rather than usual FreeBSD? And if so does the version have to be identical? (Eg when OPNSense gets an upgrade)?