Date: Tue, 24 May 2005 03:13:22 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: freebsd-security@FreeBSD.org Cc: rwatson@FreeBSD.org Subject: Jail support for mac_portacl(4). Message-ID: <20050524011322.GI837@darkness.comp.waw.pl>
next in thread | raw e-mail | index | archive | help
--jm8b7ayRJkwjIulh Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. When we don't have too many IP addresses available and we want to run for example www server inside a jail, but use the same IP address as the main system, we need to actually use an internal IP address and forward http port with firewall from external IP to jail's IP. In that way we know that if somebody breaks into out jail, he cannot run sshd server (we have keys, I know) or any other not-http service inside a jail with out public IP address. This patch gives another option, so one don't need to use firewall for this purpose. It adds new idtype - 'jid'. With this patch, one can configure that jail with the given JID can use only defined ports: # sysctl security.mac.portacl.rules=3D"jid:1:tcp:80" Patch is here: http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch Any objections? PS. With the above policy, processes from outside a jail can bind to port 80. We can change this behaviour to "allow port 80 to be used only inside a jail 1". This will be a warning for not jailed processes (don't use this port, because it can be used in a jail which will overwrite your service). --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --jm8b7ayRJkwjIulh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFCkn+yForvXbEpPzQRAp07AJ9cuK3GZ48leBG+Kylcx8aEhspj7ACdFn0+ lkxxNwsqT9WiC5vS0BytMLs= =juqj -----END PGP SIGNATURE----- --jm8b7ayRJkwjIulh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050524011322.GI837>