Date: Mon, 26 Jun 2000 20:31:52 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: security@FreeBSD.ORG Subject: Re: jail(8) Honeypots Message-ID: <20000626203152.K9883@speedy.gsinet> In-Reply-To: <15310.961998894@critter.freebsd.dk>; from phk@critter.freebsd.dk on Mon, Jun 26, 2000 at 07:54:54AM %2B0200 References: <20000625223549.I9883@speedy.gsinet> <15310.961998894@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 26, 2000 at 07:54 +0200, Poul-Henning Kamp wrote:
> In message <20000625223549.I9883@speedy.gsinet>, Gerhard Sittig writes:
> >
> > [ ... how to recognize you're jail(8)ed ... ]
>
> Bind a socket at 127.0.0.1 and notice with getsockname() that
> it isn't.
>
> Ping doesn't work.
Yes, that's the lesson I had to learn today. :) And I couldn't
do networking at all from a jail into the host in 4.0-R,
cvsupping helped against this. Now I can do "normal" connections
to and fro.
What I'm still missing (and what is hindered by the jail
mechanism in general, I suppose) is to put packet filters in the
jailed environment. This won't work. Yet? Seems I got the
intent wrong and now I'm suffering from disappointed
expectations. :| Luckily there are other ways to go ... :>
Seems I have to setup the filter in the host environment. Which
makes me ask: Do the routes between aliases go through lo0 or
the "real" NIF? I still have problems reading "netstat -rn"
output. Since I'm coming from Linux this looks to me like a
routing and arp table mixture and dazes me a little to see
entries for hosts with lo _and_ xl in the device column.
> >This leads to the question: Was the intent behind the jail(2)
> >mechanism to isolate a process group or was it to fake a
> >machine? I guess it was the former, but could be turned into
> >the latter. And I'm sure you will tell me if I'm wrong. :)
>
> The former, and significant amounts of code will have to be
> written to make it the latter.
When *you* say so I have to believe it. :) I guess providing a
fake machine without sacrifying the real host one has no other
chance than virtualizing every single resource. This would make
jail(2) another VmWare / Bochs / pcemu / VMS / you name it.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000626203152.K9883>