Date: Mon, 26 Jun 2000 20:31:52 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: security@FreeBSD.ORG Subject: Re: jail(8) Honeypots Message-ID: <20000626203152.K9883@speedy.gsinet> In-Reply-To: <15310.961998894@critter.freebsd.dk>; from phk@critter.freebsd.dk on Mon, Jun 26, 2000 at 07:54:54AM %2B0200 References: <20000625223549.I9883@speedy.gsinet> <15310.961998894@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 26, 2000 at 07:54 +0200, Poul-Henning Kamp wrote: > In message <20000625223549.I9883@speedy.gsinet>, Gerhard Sittig writes: > > > > [ ... how to recognize you're jail(8)ed ... ] > > Bind a socket at 127.0.0.1 and notice with getsockname() that > it isn't. > > Ping doesn't work. Yes, that's the lesson I had to learn today. :) And I couldn't do networking at all from a jail into the host in 4.0-R, cvsupping helped against this. Now I can do "normal" connections to and fro. What I'm still missing (and what is hindered by the jail mechanism in general, I suppose) is to put packet filters in the jailed environment. This won't work. Yet? Seems I got the intent wrong and now I'm suffering from disappointed expectations. :| Luckily there are other ways to go ... :> Seems I have to setup the filter in the host environment. Which makes me ask: Do the routes between aliases go through lo0 or the "real" NIF? I still have problems reading "netstat -rn" output. Since I'm coming from Linux this looks to me like a routing and arp table mixture and dazes me a little to see entries for hosts with lo _and_ xl in the device column. > >This leads to the question: Was the intent behind the jail(2) > >mechanism to isolate a process group or was it to fake a > >machine? I guess it was the former, but could be turned into > >the latter. And I'm sure you will tell me if I'm wrong. :) > > The former, and significant amounts of code will have to be > written to make it the latter. When *you* say so I have to believe it. :) I guess providing a fake machine without sacrifying the real host one has no other chance than virtualizing every single resource. This would make jail(2) another VmWare / Bochs / pcemu / VMS / you name it. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000626203152.K9883>