From owner-freebsd-security Thu Nov 23 19:15:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 0892B37B4C5 for ; Thu, 23 Nov 2000 19:15:39 -0800 (PST) Received: (qmail 8645 invoked by uid 0); 24 Nov 2000 03:15:37 -0000 Received: from p3ee21638.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.56) by mail.gmx.net (mail04) with SMTP; 24 Nov 2000 03:15:37 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA20005 for freebsd-security@freebsd.org; Thu, 23 Nov 2000 21:27:57 +0100 Date: Thu, 23 Nov 2000 21:27:57 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: How to isolate jails from the host system ? Message-ID: <20001123212757.W27042@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <20001123174231.A4498@hub.all.yans.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001123174231.A4498@hub.all.yans.ru>; from kate@gutatelecom.ru on Thu, Nov 23, 2000 at 05:42:31PM +0300 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 23, 2000 at 17:42 +0300, Ekaterina Ivannikova wrote: > > It appeares that though processes in a jail are not allowed to > bind to the host system's ip address, they are still assigned > this ip address if they try to connect to daemons running on > the host system. That's hard to believe. :) At least it contradicts the jail(2) idea. Processes in jails can *only* bind to the IP assigned to the jail. Not even 127.0.0.1 is available. Although there was (is?) a bug with UDP packets mistakenly being sent _from_ the host's address under certain circumstances. But a fix is available, search for "jail" in the gnats database. What you cannot defend against is processes in the host to bind to IPs delegated into jails. But you don't run any services in the host except for the jail(8)s, do you? There's no real need to do so except for the administrative access sshd -- unless one has a serial console ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message