From owner-freebsd-security  Fri Nov 24  0:15: 9 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ns.gutatelecom.ru (ns.gutatelecom.ru [195.7.161.13])
	by hub.freebsd.org (Postfix) with ESMTP id B8EC237B4CF
	for <freebsd-security@freebsd.org>; Fri, 24 Nov 2000 00:15:06 -0800 (PST)
Received: from hub.all.yans.ru (unknown [10.123.0.2])
	by ns.gutatelecom.ru (Postfix) with ESMTP id B84006E702
	for <freebsd-security@freebsd.org>; Fri, 24 Nov 2000 11:15:05 +0300 (MSK)
Received: by hub.all.yans.ru (Postfix, from userid 300)
	id B859A7F8C1; Fri, 24 Nov 2000 11:16:30 +0300 (MSK)
Date: Fri, 24 Nov 2000 11:16:30 +0300
From: Ekaterina Ivannikova <kate@gutatelecom.ru>
To: freebsd-security@freebsd.org
Subject: Re: How to isolate jails from the host system ?
Message-ID: <20001124111630.A2238@hub.all.yans.ru>
References: <20001123174231.A4498@hub.all.yans.ru> <20001123212757.W27042@speedy.gsinet>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20001123212757.W27042@speedy.gsinet>; from Gerhard.Sittig@gmx.net on Thu, Nov 23, 2000 at 09:27:57PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Nov 23, 2000 at 09:27:57PM +0100, Gerhard Sittig wrote:
> On Thu, Nov 23, 2000 at 17:42 +0300, Ekaterina Ivannikova wrote:
> > 
> > It appeares that though processes in a jail are not allowed to
> > bind to the host system's ip address, they are still assigned
> > this ip address if they try to connect to daemons running on
> > the host system.
> 
> That's hard to believe. :)  At least it contradicts the jail(2)
> idea.  Processes in jails can *only* bind to the IP assigned to
> the jail.  Not even 127.0.0.1 is available.
> 
> Although there was (is?) a bug with UDP packets mistakenly being
> sent _from_ the host's address under certain circumstances.  But
> a fix is available, search for "jail" in the gnats database.
> 
I triped over this one. This is bug kern/20946, status closed, but 
it seems that the relevant patch did not make it into the -STABLE 
source. The patch may be found at  
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/udp_usrreq.c.diff?r1=1.73&r2=1.74&f=u
Thanx for your help, now it works as expected.

Regards,

Ekaterina Ivannikova



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message