ut if an operator runs an exit from his or her home, and on their own internet connection, “they may be confused with being the source of the traffic, instead of an exit node of the traffic,” Opsahl told me. To anyone looking at activity flowing from the exit—whether that’s child abuse material, or an attempt to hack a website—it looks one and the same as the operator’s own personal usage. This could lead to a raid on the operator’s house, even though running an exit is arguably legal.
Cette fois on va réellement commencer à taper dans le gras du sujet. On va aborder le découpage de ses services dans des environnements super-cloisonnés que sont les jails, et la communication entre les jails et le monde extérieur se fera quant à elle avec le magnifique, le splendide, Packet Filter. Un des firewalls FreeBSD qui colle grosse te-hon à Iptables. Si après ce torchon ça tu n'as pas envie de lâcher GNU/Linux pour héberger tes services à la maison c'est que tu es probablement un fanatique de Systemd ... (paf)
Seconde partie
https://www.pentakonix.fr/jrnl/index.php?d=2014/12/18/21/47/49-securiser-ses-services-avec-les-jails-freebsd-et-packet-filter-2
We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.
Mbox is a lightweight sandboxing mechanism that any user can use without special privileges in commodity operating systems.
TL;DR
$ mbox -- wget google.com
...
Network Summary:
[11279] -> 173.194.43.51:80
[11279] Create socket(PF_INET,...)
[11279] -> a00::2607:f8b0:4006:803:0
...
Sandbox Root:
/tmp/sandbox-11275
N:/tmp/index.html
[c]ommit, [i]gnore, [d]iff, [l]ist, [s]hell, [q]uit ?>
Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version. Debian, Ubuntu, Mint, OpenSUSE, and Fedora packages are provided. An Arch Linux package is maintained in AUR.
There are plenty of people who've written about how to run BIND in a chroot jail, and we'll add our own experiences. We have done this on a handful of machines and have the routine down pretty well, and anybody else with the same problem set might find this helpful.
We've previously run BIND 8 in a jail, and it has always been a horrid nightmare to build and configure because the install paths had to be hacked up on a custom basis, and every operating system put files in different places. BIND 9 has changed this and decide that it all goes into /usr/local. This has made an enormous difference to consultants with widely varied customer bases. Thank you, ISC.
Most of our direct experience is with various flavors of Red Hat Linux, but we've set this up on Debian's "woody" release as well. These instructions are current as of BIND 9.2.2rc1.