From owner-freebsd-jail@FreeBSD.ORG Sun Nov 30 16:32:23 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECEC91065672 for ; Sun, 30 Nov 2008 16:32:23 +0000 (UTC) (envelope-from frank@harz.behrens.de) Received: from post.behrens.de (post.behrens.de [IPv6:2a01:170:1023::1:2]) by mx1.freebsd.org (Postfix) with ESMTP id 490C48FC0C for ; Sun, 30 Nov 2008 16:32:22 +0000 (UTC) (envelope-from frank@harz.behrens.de) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=behrens.de; h=message-id:date:from:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; s=pinky1; t=1228062740; i=frank@harz.behrens.de; bh=r6p54UAm/qgLTCuMLFSqfCTP9KAu+FSqOfN8lDzTvAw=; b=HYUHtIgT94glepVsy8M3SZ7XSOJKybOWJ4AkYAOrpXkPFIgG0j2fquzDkrHjSUyyXRBu43vNFVk/SPl08fZEvA== Received: from [IPv6:2a01:170:1023:21:215:afff:fee7:af4] ([IPv6:2a01:170:1023:21:215:afff:fee7:af4]) (authenticated bits=0) by post.behrens.de (8.14.3/8.14.2) with ESMTP(MSP) id mAUGWAh6058442 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 30 Nov 2008 17:32:12 +0100 (CET) (envelope-from frank@harz.behrens.de) Message-ID: <4932C01C.4020609@harz.behrens.de> Date: Sun, 30 Nov 2008 17:32:28 +0100 From: Frank Behrens User-Agent: Thunderbird 2.0.0.17 (X11/20080925) MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <200811272118.mARLIdKH006580@post.behrens.de> <20081129165714.E61259@maildrop.int.zabbadoz.net> In-Reply-To: <20081129165714.E61259@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Hashcash: 1:23:081130:freebsd-jail@freebsd.org::zJI5XMmNB5m5n/1B:000000000YUA9 X-Hashcash: 1:23:081130:bzeeb-lists@lists.zabbadoz.net::fGghR3Zyy3d9Yuwp:000UEg2 Cc: freebsd-jail@freebsd.org Subject: Re: Anyone interested in jail patches? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Nov 2008 16:32:24 -0000 Bjoern A. Zeeb wrote: > On Thu, 27 Nov 2008, Frank Behrens wrote: >> On the other side I still read in the patched jail(2) man page: >> "Similarly, it might be a good idea to add an address alias flag such >> that daemons listening on all IPs (INADDR_ANY) will not bind on that >> address...". Can you explain the current behaviour? > > I think this question is related to your PR kern/84215. Yes. > The current situation is: jails take precendence. So if sshd is > listening on inaddr_any on the host and on inaddr_any inside a jail > the connection to an IP belonging to a jail will end up inside the > jail; any connections to IPs not beloning to jails will end up on the > base. So we have now the desired behaviour. Your explanation should replace the (now incorrect) sentence in the man page. Please excuse my error, it is in jail(8), not jail(2). > Obviously if you stop the jail and ssh to a former jail IP you'll end > up on the bsae system and ssh would complain about different keys > possibly while telnet or similar things won't notice. This is expected and not easily to circumvent. Regards, Frank