Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 26 Aug 2014 09:33:40 -0600 (MDT)
From:      Warren Block <wblock@wonkity.com>
To:        John Baldwin <jhb@freebsd.org>
Cc:        freebsd-doc@freebsd.org
Subject:   Re: ezjail Handbook section
Message-ID:  <alpine.BSF.2.11.1408260930380.78298@wonkity.com>
In-Reply-To: <1494646.V9dtS3rr7D@ralph.baldwin.cx>
References:  <alpine.BSF.2.11.1408041633520.34818@wonkity.com> <alpine.BSF.2.11.1408201206460.56309@wonkity.com> <alpine.BSF.2.11.1408201720480.93287@wonkity.com> <1494646.V9dtS3rr7D@ralph.baldwin.cx>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 25 Aug 2014, John Baldwin wrote:

> On Wednesday, August 20, 2014 05:30:12 PM Warren Block wrote:
>> On Wed, 20 Aug 2014, Warren Block wrote:
>>> On Wed, 20 Aug 2014, John Baldwin wrote:
>>>> On Tuesday, August 19, 2014 6:01:54 pm Warren Block wrote:
>>>>> On Mon, 4 Aug 2014, Warren Block wrote:
>>>>>> Draft version of an ezjail section for the Handbook Jails chapter:
>>>>>> http://www.wonkity.com/~wblock/jails/jails-ezjail.html
>>>>>>
>>>>>> This includes a complete setup at the end for running BIND in a jail.
>>>>>> In addition to a complete jail example, it can also serve as an example
>>>>>> of
>>>>>> how to set up BIND now that the old chroot configuration is no more.
>>>>>
>>>>> Asking for review again of the final version at the link above.  If
>>>>> there are no major complaints in the next few days, it will be
>>>>> committed.
>>>>
>>>> It's not clear to me if you need lo1?  If you are using aliases on an
>>>> external
>>>> interface as you would with a traditional jail then I think you don't
>>>> need
>>>> the
>>>> lo1 interface?
>>>
>>> It's there to keep jails from being involved with lo0 on the host.  But I
>>> admit the explanation is fuzzy, and will seek clarification.
>>
>> Updated.  It now says:
>>
>>    To keep jail loopback traffic off the host's loopback network
>>    interface lo0, a second loopback interface is created by adding
>>    an entry to /etc/rc.conf:...
>
> I guess my question was more "why?"  This isn't ezjail-specific, and neither
> of the other two jail tutorials in this chapter mention lo1.  If having lo1 is
> important, then we should explain why and probably do so in the first jail
> example and then apply it consistently in all the jail examples.  They "why"
> should detail if this is an optional "nice to have" or if this is "critical to
> security and apps can break out of jails otherwise".  My assumption is the
> former, but seeing it documented as a mandatory step in the ezjail config
> implies the latter to me.

It is not required, but (as I understand it), can prevent problems with 
the host seeing jail loopback traffic.  I'm attempting to find an 
example which shows how the problem appears.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.11.1408260930380.78298>