Date: Mon, 26 May 2008 08:15:47 +0200 From: Geoffroy DESVERNAY <dgeo@ec-marseille.fr> To: Steven Hartland <killing@multiplay.co.uk> Cc: freebsd-jail@freebsd.org Subject: Re: Jail resource limits Message-ID: <483A5593.60003@ec-marseille.fr> In-Reply-To: <1F08E6231F60497A9BF556590BB56E9A@multiplay.co.uk> References: <822C1BB6-3591-4CE1-AFEA-8B07B9F5ED8D@pean.org><483556DB.9070602@quip.cz><08244555-5BD2-4F67-B311-CCC5E316A068@pean.org> <20080522165219.D47338@maildrop.int.zabbadoz.net> <8068148B75CB4B3E953144A0DF47E496@multiplay.co.uk> <4839CEFC.1050605@ec-marseille.fr> <1F08E6231F60497A9BF556590BB56E9A@multiplay.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig616781BC0655B6DB3F81C8E3 >> come back the same way >> >> I still don't know if this behaviour is the better one (one may think >> that jail's packets should not go through different interface ?), but = it >> works quite well ;) >=20 > Surely that compromises jail security i.e. being able to access > resources from the host box even it the jail has no perceivable > access to them? >=20 It have to be took in consideration before production time at least ;) > I assume this still doesn't work if the server is in fact run on > the main host only running on localhost? >=20 I think the main host is never 'only' on localhost, since you must add interfaces and addresses for the different jails it hosts, and those interfaces are used by host's routing table... The IP addresses you use for jails are usable by main host, and routing table of main host is used to route jail's packets... so any jail you host can use any other jail's route. (if you have only localhost on main an *only one* interface for all jour jails, it doesn't hurt). In our case, one of our jail host is using pf's 'route-to' to re-route packets going to 'forbidden' interface from jails. Regards, --=20 Geoffroy Desvernay Ecole Centrale de Marseille --------------enig616781BC0655B6DB3F81C8E3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIOlWaGbFYzwF8gKoRAisGAJ4zDNrDSAhOP6tFFNs2svDu9YNMCACffb5S 3eKr54rqyPAaNXHTddIQtDs= =fCmA -----END PGP SIGNATURE----- --------------enig616781BC0655B6DB3F81C8E3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?483A5593.60003>