From owner-freebsd-security@FreeBSD.ORG Mon May 8 07:47:22 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62DEE16A403 for ; Mon, 8 May 2006 07:47:22 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AEF443D45 for ; Mon, 8 May 2006 07:47:21 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (tgbshk@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k487lDoh085855 for ; Mon, 8 May 2006 09:47:19 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k487lD2U085854; Mon, 8 May 2006 09:47:13 +0200 (CEST) (envelope-from olli) Date: Mon, 8 May 2006 09:47:13 +0200 (CEST) Message-Id: <200605080747.k487lD2U085854@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG In-Reply-To: <20060505142945.J26390@home.ephemeron.org> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Mon, 08 May 2006 09:47:19 +0200 (CEST) X-Mailman-Approved-At: Mon, 08 May 2006 11:25:45 +0000 Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 07:47:22 -0000 Bigby Findrake wrote: > Oliver Fromme wrote: > > In fact, it is a good idea to _always_ bind jails to non- > > routable loopback IPs. For example: > > > > jail 1 (webserver) on 127.0.0.2 > > jail 2 (database) on 127.0.0.3 > > > > If a service needs to be accessible from the outside, you > > can use IPFW FWD rules to forward packets destined to the > > real IP to the jail's loopback IP. > > Wouldn't you need to use some form of NAT and not forwarding? This is > from IPFW(8) (6.0-RELEASE): > > The fwd action does not change the contents of the packet at all. > In particular, the destination address remains unmodified, so > packets forwarded to another system will usually be rejected by > that system unless there is a matching rule on that system to > capture them. For packets forwarded locally, the local address > of the socket will be set to the original destination address of > the packet. > > It seems to me that the jail might reject the packets, No, a jail doesn't reject anything, because jails don't have their own TCP/IP stack or routing table (actually it would be very nice if they did). Trust me, it works. I've got such setups running in production. ;-) > and even if it > didn't, would the replies from the jail get the right source address put > on them? That's right. When processes within a jail open a network socket, those sockets are forced to bind to the jail's IP address, so all packets originating from that jail will have the jail's IP as the source address. Therefore you have to install a NAT rule. > Forwarding doesn't seem to be the way to accomplish what you're talking > about. Yes, packet forwarding is the perfect way to accomplish it. It's also very efficient; the overhead is negligible. I always recommend to use loopback IPs for jails, because it is the most secure way to setup jails, since loopback IPs are guaranteed to never leave the local machine. So an attacker who manages to take control of the jail (in whole or partly) cannot use it to launch further attacks. Of course, that's only an _additional_ safety measure, not the only one. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "What is this talk of 'release'? We do not make software 'releases'. Our software 'escapes', leaving a bloody trail of designers and quality assurance people in its wake."