Date: Mon, 17 Mar 2003 13:57:17 +0300 (MSK) From: "."@babolo.ru To: Peter Jeremy <peterjeremy@optushome.com.au> Cc: mooneer@translator.cx, freebsd-hackers@FreeBSD.ORG Subject: Re: jail support for ping, traceroute, etc.. crude hack Message-ID: <1047898637.590705.1108.nullmailer@cicuta.babolo.ru> In-Reply-To: <20030317075544.GA1032@cirb503493.alcatel.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mon, Mar 17, 2003 at 10:06:27AM +0300, "."@babolo.ru wrote: > >It is time to invent "ping socket" and "traceroute socket" > >in addition to tcp, udp, divert so on? > > Whilst this might seem nice, actually implementing so that it is > both useful and safe is not easy. > > For a "ping socket", this is reasonably easy if all you want is the > ability to send "ICMP ECHO REQUEST" packets and receive any "ICMP ECHO > REPLY" packets associated with previous request packets. It's not > totally trivial because the kernel has to keep the state for outgoing > packets to ensure that only the correct incoming packets are > forwarded. (This is a security issue - you don't want somone finding > out hosts someone outside that jail is pinging). Remember to allow > for multiple responses to a single request and for long delays. You > might also want to implement resource restrictions to prevent someone > flooding the system with request packets. Not so easy to do but easy understandable for me. > A "traceroute socket" is harder: There's no "ICMP TRACEROUTE" packet. > Instead, traceroute(8) sends outgoing IP packets with varying TTL > sizes and monitors incoming ICMP looking for check for "HOST > UNREACHABLE - TIME EXCEEDED IN TRANSIT" packets. Again, the kernel > would need to validate the incoming packets against outgoing packets. "traceroute socket" is just a curiosity. It seems to me better use UDP socket with some controls and "ping socket" from above. But way to obtain "ping socket" coupled with UDP socket is above my brain. Or may be more common way? Semiraw socket for ability send some classes of IP packets and seceive all induced ICMP ICMP ECHO REQUEST, any UDP and other protocols exept TCP with correct source IP address is probably secure enough for use by root in jail. > In both cases, you also need to work out how to handle other random > ICMP packets that be received as a result of the outgoing packets. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1047898637.590705.1108.nullmailer>