From owner-freebsd-security  Thu Nov 23  6:42: 0 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ns.gutatelecom.ru (ns.gutatelecom.ru [195.7.161.13])
	by hub.freebsd.org (Postfix) with ESMTP id 67D5D37B479
	for <freebsd-security@freebsd.org>; Thu, 23 Nov 2000 06:41:58 -0800 (PST)
Received: from hub.all.yans.ru (unknown [10.123.0.2])
	by ns.gutatelecom.ru (Postfix) with ESMTP id 532666E718
	for <freebsd-security@freebsd.org>; Thu, 23 Nov 2000 17:41:52 +0300 (MSK)
Received: by hub.all.yans.ru (Postfix, from userid 300)
	id 189AC7F8C1; Thu, 23 Nov 2000 17:42:31 +0300 (MSK)
Date: Thu, 23 Nov 2000 17:42:31 +0300
From: Ekaterina Ivannikova <kate@gutatelecom.ru>
To: freebsd-security@freebsd.org
Subject: How to isolate jails from the host system ?
Message-ID: <20001123174231.A4498@hub.all.yans.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi All,

what is the recommended way of isolating jails from the host system 
with regard to tcp/ip connections ?
It appeares that though processes in a jail are not allowed to bind to 
the host system's ip address, they are still assigned this ip address if they
try to connect to daemons running on the host system. Thus placing
filters on lo0 doesn't help as the host system cannot distinguish between
clients coming from a jail and its own processes. 
I'm running 4.2-STABLE cvsuped on Nov 21 if it matters.

Regards,

Ekaterina Ivannikova


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message