From owner-freebsd-jail@freebsd.org Sun Feb 24 10:00:33 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1385A15195C3 for ; Sun, 24 Feb 2019 10:00:33 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 8735B8DE74 for ; Sun, 24 Feb 2019 10:00:32 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: by mailman.ysv.freebsd.org (Postfix) id 4563F15195C1; Sun, 24 Feb 2019 10:00:32 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 122EB15195C0; Sun, 24 Feb 2019 10:00:32 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C0C778DE70; Sun, 24 Feb 2019 10:00:28 +0000 (UTC) (envelope-from Alexander@leidinger.net) Date: Sun, 24 Feb 2019 11:00:15 +0100 Message-ID: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> From: Alexander Leidinger To: freebsd-rc@freebsd.org, jail@freebsd.org Subject: Proposal: automatic jailing of services (rc.d/*) [patch] User-Agent: Horde Application Framework 5 Accept-Language: de,en Content-Type: multipart/signed; boundary="=_fy4n2tsDPmdHd3oieZ_dzqP"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-Rspamd-Queue-Id: C0C778DE70 X-Spamd-Bar: --------- X-Spamd-Result: default: False [-9.69 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; DKIM_TRACE(0.00)[leidinger.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; MX_GOOD(-0.01)[mailgate.leidinger.net]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.980,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; IP_SCORE(-3.70)[ip: (-9.79), ipnet: 2a00:1828::/32(-4.86), asn: 34240(-3.83), country: DE(-0.01)]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE]; RCVD_TLS_ALL(0.00)[]; MIME_UNKNOWN(0.10)[text/diff] X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Feb 2019 10:00:33 -0000 This message is in MIME format and has been PGP signed. --=_fy4n2tsDPmdHd3oieZ_dzqP Content-Type: multipart/mixed; boundary="=_DFoVyw8E2SrFbHVI-kNCyDP" This message is in MIME format. --=_DFoVyw8E2SrFbHVI-kNCyDP Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Thanks to MWL for his upcoming jail book, it inspired me to come up with th= is. Note, I'm not subscribed to freebsd-rc, please keep at least jail@ in=20=20 copy=20(I'm subscribed there). I propose to extend the rc system to automatically jail services in a=20=20 light=20sense (off by default, can be enabled on individual service=20=20 level).=20The "light sense" means to inherit the entire host (subject to=20= =20 options).=20All programs have still access to the entire filesystem=20=20 (subject=20to user access permissions). By default no network access.=20=20 Optional=20access to the hosts IPv4, IPv6, raw sockets or full access to=20= =20 all=20network related parts (see below for "service jail options").=20=20 Similar=20optional access for sysvipc, mlock and vmm. The benefit of this approach (aside of being able to prevent network=20=20 and=20other access if needed (without removing the network at all) when=20= =20 it=20is not enabled) is to put a service and all its children into a=20=20 limited=20process namespace. A service and its children only see=20=20 themselves=20but no other processes (a rc script which uses some checks=20= =20 in=20start_cmd to see if some other services/processes are started needs=20= =20 to=20be modified to do the checks in start_precmd, only start_cmd (and=20= =20 stop_cmd)=20is jailed in this design (so far), so that a service can=20=20 check=20a lot more than what is possible in a jail), and you can kill=20=20 all=20of those in one go (jail -r svcj-). Note: this can not be used for services which require access to=20=20 /dev/(k)mem,=20as this is prohibited in a jail even if the dev-entry is=20= =20 there=20(this means you can not enable this feature for services which=20= =20 start=20X.org to access a graphic card without my patches for X.org in a=20= =20 jail).=20Other hard-coded jail restrictions apply too off course. As an example for a service which needs network access, it would have=20=20 to=20have in the rc script : ${svcname_svcj_options:=3D"net_basic") to specify that it needs access to IPv4, IPv6 and access to reserved=20=20 ports=20(see below for more details). This way the service comes with a default setting and an admin can=20=20 override=20what the service is allowed to do on his discretion in rc.conf. There are off course drawbacks, depending on your point of view. If=20=20 you=20jail sshd, you can only see processes inside the sshd service jail=20= =20 via=20ps/top/..., you can not use commands which require access to=20=20 /dev/(k)mem,=20you can not start ntpd from such a ssh session, and you=20= =20 can=20not manage (stop/start via rc-means or kill) stuff which is=20=20 running=20in other service jails, or in short: all hard-coded jail=20=20 restrictions=20apply. If you stop such a service jail, the current=20=20 implementation=20removes the entire service jail (after running "service=20= =20 stop"=20inside), so for sshd this would mean that any ssh connection to=20= =20 the=20jailed sshd is killed instead of continuing like in the non=20=20 service=20jail case. So this is not something which can by enabled by=20=20 default=20and a careful review of what shall be handled in this way=20=20 needs=20to be done instead of enabling it blindly. To enable jailing of a service, an admin has to specify=20=20 svcname_svcj=3D"YES" in rc.conf and optionally options via=20=20 svcname_svcj_options=3D"xxx" if it wants to override the settings/access=20= =20 specified=20in the rc script (or set it if the rc script is not yet=20=20 modified=20to support service jails). A rc script shall not enable a service jail by default, it's up to the=20= =20 admin=20to enable that. This also works in jails, but requires to set children.max to an=20=20 appropriate=20value for those jails (see jail(8) or MWLs upcoming book=20= =20 for=20more info about hierarchical jails). As we expose=20=20 security.jail.param.children.*=20in jails, we could add a safetynet=20=20 inside=20the implementation to not use service jails even if configured,=20= =20 when=20"jailed and cur =3D max". RC settings: _svcj=3D"YES/NO" _svcj_options=3D"see_below" service jails options translations: netv4 -> ipv4=3Dinherit allow.reserved_ports netv6 -> ipv6=3Dinherit allow.reserved_ports net_basic -> ipv4=3Dinherit ipv6=3Dinherit allow.reserved_ports net_raw -> allow.raw_sockets net_all -> allow.socket_af allow.raw_sockets allow.reserved_ports=20=20 ipv4=3Dinherit ipv6=3Dinherit sysvipc -> sysvmsg=3Dinherit sysvsem=3Dinherit sysvshm=3Dinherit mlock -> allow.mlock vmm -> allow.vmm Attached is a proof of concept (only lightly tested with=20=20 start/stop/status/restart)=20so that you can play around with it a=20=20 little=20bit. Please don't focus on the patch. This mail is to seek=20=20 feedback=20about the feature and the quick design so far. To make it=20=20 explicit,=20I do not ask (yet) if and which service to handle like this=20= =20 by=20default. This is just the possibility to do something like this. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_DFoVyw8E2SrFbHVI-kNCyDP-- --=_fy4n2tsDPmdHd3oieZ_dzqP Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJccmsvAAoJEBINsJsD+NiGXxQP/AkzLOI+MkW0EoQ/R+y9W/4U CCBvuFntPLYfN3agONbLwwu/DEt8xqPRCA1UDBK2pe9UQQQj9WcXbVvb8bsr64fM ZH+P0Wev/nkhRk0NyqQLvO0j2VRQnve9bnI8v1kdi5hjH9m796Ig81lHRBViCYTL qyE1qz+rO5ocY8yWi98vOZy6HD32eehcl1g8KlnfD+SQ7R9uQ5lQHA1fLiFrs17L HjVadlFX3QX6xsWKjrrQ53GTw7n+3mmtDYc+Jac+YEz5OT7TyK6tzobw6MkzNPnM juEL4gznT17E5e1gtWIuqq+ZWGdOqNWpuTTyc6X9IO2H58kMpjWp6USk3mqjNR0x bhaLadpsCh3yDo5c806JQ7mSYz5ryPPH7f/fYwcB99MIGcY3d+8KTgct65+pXyO8 2OxrDS3x9A+0BChFjdmNpLqoIiGBmj/3d1KaJJLbhKd0i/G+WpNdGuRiQk2N/7UD eXpylUa8Yb+vTNvsRn3Qt6tWGctcBxidFtzSGAWycSNieWGcmwK+zH/PhiFHKSK5 O3TOBMDbsdhGjG6Re4CxI0aTHlO1Jyu9Q87eW2DUMnPS1f6dlzwS/mHv3SWGrPWm jDwIgMBhlTFtMjowAkRmJcxn2HuvdsLz0jU4jqqcidTeCHvz9YoDiJb3rkoSxHiW xgXoToaNcFdeU1tUXY9P =Rx7/ -----END PGP SIGNATURE----- --=_fy4n2tsDPmdHd3oieZ_dzqP-- From owner-freebsd-jail@freebsd.org Sun Feb 24 17:31:09 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 823CC1504A42 for ; Sun, 24 Feb 2019 17:31:09 +0000 (UTC) (envelope-from rleigh@codelibre.net) Received: from a-painless.mh.aa.net.uk (a-painless.mh.aa.net.uk [81.187.30.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 285E875A80 for ; Sun, 24 Feb 2019 17:31:09 +0000 (UTC) (envelope-from rleigh@codelibre.net) Received: from 182.155.187.81.in-addr.arpa ([81.187.155.182] helo=[192.168.1.119]) by a-painless.mh.aa.net.uk with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1gxxcK-0003zo-6D for freebsd-jail@freebsd.org; Sun, 24 Feb 2019 17:31:08 +0000 Subject: Re: Proposal: automatic jailing of services (rc.d/*) [patch] To: freebsd-jail@freebsd.org References: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> From: Roger Leigh Message-ID: <896ec053-0ef9-046c-e309-d7ecf9d536b3@codelibre.net> Date: Sun, 24 Feb 2019 17:30:58 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 285E875A80 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.97 / 15.00]; NEURAL_HAM_MEDIUM(-0.99)[-0.989,0]; NEURAL_HAM_SHORT(-0.99)[-0.985,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Feb 2019 17:31:09 -0000 On 24/02/2019 10:00, Alexander Leidinger via freebsd-jail wrote: > Attached is a proof of concept (only lightly tested with > start/stop/status/restart) so that you can play around with it a little > bit. I didn't see any attachment. Is this an oversight, or did I overlook something? Thanks, Roger From owner-freebsd-jail@freebsd.org Sun Feb 24 20:37:43 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C0569150AA30 for ; Sun, 24 Feb 2019 20:37:43 +0000 (UTC) (envelope-from SRS0=h8Xr=Q7=quip.cz=000.fbsd@elsa.codelab.cz) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 413D8861F0 for ; Sun, 24 Feb 2019 20:37:43 +0000 (UTC) (envelope-from SRS0=h8Xr=Q7=quip.cz=000.fbsd@elsa.codelab.cz) Received: by mailman.ysv.freebsd.org (Postfix) id EF3F1150AA2E; Sun, 24 Feb 2019 20:37:42 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DD830150AA2D; Sun, 24 Feb 2019 20:37:42 +0000 (UTC) (envelope-from SRS0=h8Xr=Q7=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 764C1861EF; Sun, 24 Feb 2019 20:37:42 +0000 (UTC) (envelope-from SRS0=h8Xr=Q7=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 18B382842B; Sun, 24 Feb 2019 21:37:34 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 74B2928429; Sun, 24 Feb 2019 21:37:28 +0100 (CET) Subject: Re: Proposal: automatic jailing of services (rc.d/*) [patch] To: Alexander Leidinger , freebsd-rc@freebsd.org, jail@freebsd.org References: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Sun, 24 Feb 2019 21:37:19 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 764C1861EF X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.96 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; NEURAL_HAM_SHORT(-0.96)[-0.963,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Feb 2019 20:37:43 -0000 Alexander Leidinger via freebsd-jail wrote on 2019/02/24 11:00: [...] > Attached is a proof of concept (only lightly tested with > start/stop/status/restart) so that you can play around with it a little > bit. Please don't focus on the patch. This mail is to seek feedback > about the feature and the quick design so far. To make it explicit, I do > not ask (yet) if and which service to handle like this by default. This > is just the possibility to do something like this. Interesting idea but patch was stripped by mailing list. Can you put it online and post the link to it? Kind regards Miroslav Lachman From owner-freebsd-jail@freebsd.org Mon Feb 25 08:53:50 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6C16C1502649 for ; Mon, 25 Feb 2019 08:53:50 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id B226D82FE5 for ; Mon, 25 Feb 2019 08:53:49 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 727131502646; Mon, 25 Feb 2019 08:53:49 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3518C1502645; Mon, 25 Feb 2019 08:53:49 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-ua1-x92b.google.com (mail-ua1-x92b.google.com [IPv6:2607:f8b0:4864:20::92b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A548982FE4; Mon, 25 Feb 2019 08:53:48 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by mail-ua1-x92b.google.com with SMTP id c5so7620370uaq.7; Mon, 25 Feb 2019 00:53:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=42778bM5EES4q79xF52Ny4x6dmdZ9w/BHVWijYvFBCM=; b=NvFafiw1ixYWaRuZtxtK/s+HAPuY5+95GXfcq9vsML4+vWSJxglX0HH/dLfLe3AS61 ZabAMYwFuNJzuySUeX811XzmGbSLlLO56hOPzmroOULiQJ9Wnp7revLUHzgz/IV3sSNO TqKh2nbRlpIkoVvmY8FgTJFuYc9nSUjKNHKyuW0Z+gh1BGfL2cMyX8o8xxxSzmLnlAd7 7yy5OZu3z159NlH7GjwReRdJ3lu3eWdX8mdf1Oa/YjfN5/GWRQhnoagwZYCZgalhnDvX WOhdsamV16Rp7UKcXEjI9YuQHShJrMsx0w6BX4g1jSJrB7c+7iguIWmehN1fBawN4bHt xblA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=42778bM5EES4q79xF52Ny4x6dmdZ9w/BHVWijYvFBCM=; b=r29yXtCbb4DWrtBk50loRQK4hOF9MlwOWSLPGQKL/QIZr0rFHmP6nqu2Chval/KE/1 qYtrDikqC2SZLkP0EJv0Vv2mH3pxhyaX7MgyL6vgxGHmO5KVEMXa7vBh8k/oWgvL3Vf4 HcbRblyIo4NYFOcJgSLCjbsP6cq5rEpa2E/+UbnP6UDXVPvK4lEuqCOgaYq3ARlmglVP qXFZbfHpeCyPcgphs0kYZfX/ioqQM+g0BKjTvrEZuD0Bfp058D249OMx7ouPt2m+fJw1 r8nTcdBZ0acZ04cwQaG1As+AXjFfEKmBRepN7tKZsZLHyg5oxtnAD7dxn80BOAIjBeoh L58w== X-Gm-Message-State: AHQUAuYlRP+Ga9QqgNwURNfRwK/ZC4BVAlp0OT9VUeIeQbOdvs/mLm7H CmqrQxOqo6Bg+Z389saXgD9b2Qx09oiveUFi6R8hjYWo X-Google-Smtp-Source: AHgI3IbbDaZ/DZMgOf0K8CNWSihPrhhuDuPbivPe5KtCkrNOP+G1RBr3Cntz32LMPEwyYO2GRlhaxEmXhLv5MMRRucw= X-Received: by 2002:a67:ed04:: with SMTP id l4mr8334214vsp.20.1551084827971; Mon, 25 Feb 2019 00:53:47 -0800 (PST) MIME-Version: 1.0 References: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> In-Reply-To: From: Ben Woods Date: Mon, 25 Feb 2019 16:53:40 +0800 Message-ID: Subject: Re: Proposal: automatic jailing of services (rc.d/*) [patch] To: Miroslav Lachman <000.fbsd@quip.cz> Cc: Alexander Leidinger , freebsd-rc@freebsd.org, jail@freebsd.org X-Rspamd-Queue-Id: A548982FE4 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.94 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.94)[-0.939,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 08:53:50 -0000 On Mon, 25 Feb 2019 at 10:24, Miroslav Lachman <000.fbsd@quip.cz> wrote: > Interesting idea but patch was stripped by mailing list. Can you put it > online and post the link to it? > Indeed, interesting idea! The best options would be to attach the patch either to a bugzilla report ( https://bugs.freebsd.org) or a phabricator review ( https://reviews.freebsd.org). Regards, Ben -- From: Benjamin Woods woodsb02@gmail.com From owner-freebsd-jail@freebsd.org Mon Feb 25 09:12:01 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 37A2D1502F36 for ; Mon, 25 Feb 2019 09:12:01 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 7CD918374C for ; Mon, 25 Feb 2019 09:12:00 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: by mailman.ysv.freebsd.org (Postfix) id 3CE4F1502F2B; Mon, 25 Feb 2019 09:12:00 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2AF7C1502F2A; Mon, 25 Feb 2019 09:12:00 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C8E783744; Mon, 25 Feb 2019 09:11:59 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from [192.168.1.32] (unknown [192.168.1.32]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: Alexander@Leidinger.net) by outgoing.leidinger.net (Postfix) with ESMTPSA id 0E0D2307D; Mon, 25 Feb 2019 10:11:26 +0100 (CET) From: Alexander Leidinger To: Miroslav Lachman <000.fbsd@quip.cz>, , Date: Mon, 25 Feb 2019 10:11:24 +0100 Message-ID: <16923ec5260.27fa.fa4b1493b064008fe79f0f905b8e5741@Leidinger.net> In-Reply-To: References: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> Subject: Re: Proposal: automatic jailing of services (rc.d/*) [patch] MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="us-ascii" Content-Transfer-Encoding: 8bit X-Leidinger-net-MailScanner-Information: Please contact the ISP for more information X-Leidinger-net-MailScanner-ID: 4D4E823BD7.A7EA6 X-Leidinger-net-MailScanner: Found to be clean X-Leidinger-net-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-3, required 6, autolearn=not spam, ALL_TRUSTED -1.00, BAYES_00 -1.90, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10) X-Leidinger-net-MailScanner-From: alexander@leidinger.net X-Leidinger-net-MailScanner-Watermark: 1551690704.38929@+LRNgKpOJijOkL8vTZPixw X-Leidinger-net-Spam-Status: No X-Rspamd-Queue-Id: 8C8E783744 X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.99)[-0.988,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 09:12:01 -0000 http://www.leidinger.net/FreeBSD/current-patches/rc_svc_jails.diff -- Send from a mobile device, please forgive brevity and misspellings. Am 24. Februar 2019 9:48:19 nachm. schrieb Miroslav Lachman <000.fbsd@quip.cz>: > Alexander Leidinger via freebsd-jail wrote on 2019/02/24 11:00: > > [...] > >> Attached is a proof of concept (only lightly tested with >> start/stop/status/restart) so that you can play around with it a little >> bit. Please don't focus on the patch. This mail is to seek feedback >> about the feature and the quick design so far. To make it explicit, I do >> not ask (yet) if and which service to handle like this by default. This >> is just the possibility to do something like this. > > Interesting idea but patch was stripped by mailing list. Can you put it > online and post the link to it? > > Kind regards > Miroslav Lachman From owner-freebsd-jail@freebsd.org Thu Feb 28 08:45:17 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7D7621521BDE; Thu, 28 Feb 2019 08:45:17 +0000 (UTC) (envelope-from hausen@punkt.de) Received: from kagate.punkt.de (kagate.punkt.de [217.29.33.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4632E86CCA; Thu, 28 Feb 2019 08:45:10 +0000 (UTC) (envelope-from hausen@punkt.de) Received: from hugo10.ka.punkt.de (hugo10.ka.punkt.de [217.29.44.10]) by gate2.intern.punkt.de with ESMTP id x1S8iqcr082379; Thu, 28 Feb 2019 09:44:52 +0100 (CET) Received: from [217.29.44.250] ([217.29.44.250]) by hugo10.ka.punkt.de (8.14.2/8.14.2) with ESMTP id x1S8ip9w036578; Thu, 28 Feb 2019 09:44:51 +0100 (CET) (envelope-from hausen@punkt.de) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Performance issues with VNET/bridge/VLAN From: "Patrick M. Hausen" In-Reply-To: <79A4C471-FCDF-4C2D-BBEF-6512F3AF608F@ellael.org> Date: Thu, 28 Feb 2019 09:44:50 +0100 Cc: FreeBSD Net , freebsd-jail@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <4857F070-3DBD-4CA0-8E32-D9DE1EA2C7F0@punkt.de> References: <9B0EC546-38E6-424E-9CC9-93F4C58B296F@punkt.de> <355c746ae7ec884407299e2649283cfc@ellael.org> <8ABA2B5F-6A94-4907-B623-6B7E9BC83CB3@punkt.de> <79A4C471-FCDF-4C2D-BBEF-6512F3AF608F@ellael.org> To: Michael Grimm X-Mailer: Apple Mail (2.3445.9.1) X-Rspamd-Queue-Id: 4632E86CCA X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of hausen@punkt.de designates 217.29.33.131 as permitted sender) smtp.mailfrom=hausen@punkt.de X-Spamd-Result: default: False [-2.91 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:217.29.32.0/20]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[punkt.de]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[mailin.pluspunkthosting.de,mailin.pluspunkthosting.de]; NEURAL_HAM_SHORT(-0.59)[-0.587,0]; RCVD_IN_DNSWL_NONE(0.00)[131.33.29.217.list.dnswl.org : 127.0.10.0]; IP_SCORE(-0.52)[ipnet: 217.29.32.0/20(-1.43), asn: 16188(-1.15), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:16188, ipnet:217.29.32.0/20, country:DE]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 08:45:17 -0000 Hi, just a quick info - I need some more time because this is getting = weirder and weirder =E2=80=A6 Changing the =E2=80=9Ecomplaint=E2=80=9C host from VLANs to dedicated = interfaces fixed the perceived TCP performance issue for that host. Then I tried to = reproduce the problem on another host *with* the VLAN based setup. Same OS version, identical setup (all Ansible here) - *no* performance = issue. Everything running =E2=80=9Efast=E2=80=9C. I=E2=80=99ll try to build a reliable test scenario with reproducibly = problematic results and report back. Kind regards Patrick --=20 punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe info@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling From owner-freebsd-jail@freebsd.org Thu Feb 28 10:58:38 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EFA151502566 for ; Thu, 28 Feb 2019 10:58:37 +0000 (UTC) (envelope-from SRS0=qdo0=RD=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BF5898C51A for ; Thu, 28 Feb 2019 10:58:36 +0000 (UTC) (envelope-from SRS0=qdo0=RD=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 6E1B628417 for ; Thu, 28 Feb 2019 11:58:33 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 4BD0B28411 for ; Thu, 28 Feb 2019 11:58:32 +0100 (CET) To: freebsd-jail@freebsd.org From: Miroslav Lachman <000.fbsd@quip.cz> Subject: how to determine primary (source) IP address in jail Message-ID: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz> Date: Thu, 28 Feb 2019 11:58:30 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: BF5898C51A X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [4.28 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; MX_GOOD(-0.01)[cached: elsa.codelab.cz]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=qdo0=RD=quip.cz=000.fbsd@elsa.codelab.cz]; RECEIVED_SPAMHAUS_PBL(0.00)[209.16.49.86.zen.spamhaus.org : 127.0.0.11]; IP_SCORE(0.29)[ip: (0.71), ipnet: 94.124.104.0/21(0.36), asn: 42000(0.29), country: CZ(0.07)]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; MIME_TRACE(0.00)[0:+]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=qdo0=RD=quip.cz=000.fbsd@elsa.codelab.cz]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.90)[0.895,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.91)[0.910,0]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.99)[0.994,0]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; R_SPF_NA(0.00)[]; DMARC_NA(0.00)[quip.cz] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 10:58:38 -0000 Is there some easy way to determine the primary (source) address which is used in jail with multiple IP addresses? I came to this problem with running local_unbound in jail. Unbound refuses queries originating in this jail because the do not come from real 127.0.0.1 (which is the only one allowed by default). Unbound in jail see requests come from jails IP. It is easy to determine (in shell script) if jail has only one IP. But what in case where jail has multiple IPs? Is there some sysctl or some call to ifconfig or any other util to get the IP which will be used as source address for queries on local services in jail? I know I can allow all IPs of jail in access-control: a.b.c.d/32 allow access-control: e.f.g.h/32 allow I am just curios if there is some way to get "primary" IP in jail without calling anything from the host environment. Kind regards Miroslav Lachman From owner-freebsd-jail@freebsd.org Thu Feb 28 17:46:40 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0B15F1510990 for ; Thu, 28 Feb 2019 17:46:40 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [199.192.165.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 651ED76938 for ; Thu, 28 Feb 2019 17:46:39 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org ([127.0.0.131]) by gritton.org (8.15.2/8.15.2) with ESMTP id x1SHhUsk061985; Thu, 28 Feb 2019 10:43:30 -0700 (MST) (envelope-from jamie@freebsd.org) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 28 Feb 2019 10:43:30 -0700 From: James Gritton To: freebsd-jail@freebsd.org Subject: Re: how to determine primary (source) IP address in jail In-Reply-To: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz> References: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz> Message-ID: <80473893b119a7f602ff7efb72416561@freebsd.org> X-Sender: jamie@freebsd.org User-Agent: Roundcube Webmail/1.3.8 X-Greylist: inspected by milter-greylist-4.6.2 (gritton.org [127.0.0.131]); Thu, 28 Feb 2019 10:43:31 -0700 (MST) for IP:'127.0.0.131' DOMAIN:'[127.0.0.131]' HELO:'gritton.org' FROM:'jamie@freebsd.org' RCPT:'' X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (gritton.org [127.0.0.131]); Thu, 28 Feb 2019 10:43:31 -0700 (MST) X-Rspamd-Queue-Id: 651ED76938 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.94 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; ASN(0.00)[asn:30247, ipnet:199.192.164.0/22, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 17:46:40 -0000 On 2019-02-28 03:58, Miroslav Lachman wrote: > Is there some easy way to determine the primary (source) address which > is used in jail with multiple IP addresses? > > I came to this problem with running local_unbound in jail. Unbound > refuses queries originating in this jail because the do not come from > real 127.0.0.1 (which is the only one allowed by default). Unbound in > jail see requests come from jails IP. It is easy to determine (in > shell script) if jail has only one IP. > But what in case where jail has multiple IPs? Is there some sysctl or > some call to ifconfig or any other util to get the IP which will be > used as source address for queries on local services in jail? > > I know I can allow all IPs of jail in > access-control: a.b.c.d/32 allow > access-control: e.f.g.h/32 allow > > I am just curios if there is some way to get "primary" IP in jail > without calling anything from the host environment. There's nothing reliable that I know of. Lists of address like that from "ifconfig -a" or "netstat -rn" are in the order that they exist on the host, filtered so only in-jail addresses show up. While this may work for jails that always create aliases for their addresses in the defined order (as jail(8) will). they don't work in cases where the address already exists. It will also have problems when the addresses are on different interfaces. - Jamie From owner-freebsd-jail@freebsd.org Thu Feb 28 20:06:08 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 742B715164F1 for ; Thu, 28 Feb 2019 20:06:08 +0000 (UTC) (envelope-from crapsh@monkeybrains.net) Received: from mail.monkeybrains.net (mail.monkeybrains.net [208.69.40.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.monkeybrains.net", Issuer "AlphaSSL CA - SHA256 - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 75D9085808 for ; Thu, 28 Feb 2019 20:05:57 +0000 (UTC) (envelope-from crapsh@monkeybrains.net) Received: from [10.2.86.68] (public.monkeybrains.net [208.69.41.107] (may be forged)) (authenticated bits=0) by mail.monkeybrains.net (8.15.2/8.15.2) with ESMTPSA id x1SK5n4s052665 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 28 Feb 2019 12:05:50 -0800 (PST) (envelope-from crapsh@monkeybrains.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=monkeybrains.net; s=dkim; t=1551384350; bh=h5uvOhkYtmd7Y67lI9CIqzBc6WybyhvhGRV/th3rhFg=; h=Subject:To:References:From:Date:In-Reply-To; b=la4hlTsDDFKH8j12UkGrvDCDtKRZs/hzzfYuxHwSSAIVC4lMzkihRJpPcX4lqQ1ph k9qllDezp94l5l+lr9ezMDm+wtF5S9Xp7C5mO1pXVBYERVB8G6HsXEGxJkzKz7wGkq ed+WSpb5auW0pDzeE9HXTMAzbRv8jrg3B6Z7IkcY= X-Authentication-Warning: mail.monkeybrains.net: Host public.monkeybrains.net [208.69.41.107] (may be forged) claimed to be [10.2.86.68] Subject: Re: how to determine primary (source) IP address in jail To: freebsd-jail@freebsd.org References: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz> From: BulkMailForRudy Message-ID: Date: Thu, 28 Feb 2019 12:05:50 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Virus-Scanned: clamav-milter 0.100.2 at mail.monkeybrains.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 75D9085808 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=monkeybrains.net header.s=dkim header.b=la4hlTsD; dmarc=pass (policy=none) header.from=monkeybrains.net; spf=pass (mx1.freebsd.org: domain of crapsh@monkeybrains.net designates 208.69.40.19 as permitted sender) smtp.mailfrom=crapsh@monkeybrains.net X-Spamd-Result: default: False [-4.87 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ptr]; HAS_XAW(0.00)[]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[monkeybrains.net:+]; DMARC_POLICY_ALLOW(-0.50)[monkeybrains.net,none]; MX_GOOD(-0.01)[mx1.harsh.monkeybrains.net]; NEURAL_HAM_SHORT(-0.97)[-0.972,0]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-0.79)[asn: 32329(-3.87), country: US(-0.07)]; MIME_TRACE(0.00)[0:+]; RCVD_IN_DNSWL_LOW(-0.10)[19.40.69.208.list.dnswl.org : 127.0.5.1]; ASN(0.00)[asn:32329, ipnet:208.69.40.0/22, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[monkeybrains.net.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[monkeybrains.net:s=dkim]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 20:06:08 -0000 One way to fix the problem is to use VNET in your jails and you will get  a lo0 with 127.0.0.1 inside the jail. Rudy On 2/28/19 2:58 AM, Miroslav Lachman wrote: > Is there some easy way to determine the primary (source) address which > is used in jail with multiple IP addresses? > > I came to this problem with running local_unbound in jail. Unbound > refuses queries originating in this jail because the do not come from > real 127.0.0.1 (which is the only one allowed by default). Unbound in > jail see requests come from jails IP. It is easy to determine (in > shell script) if jail has only one IP. > But what in case where jail has multiple IPs? Is there some sysctl or > some call to ifconfig or any other util to get the IP which will be > used as source address for queries on local services in jail? > > I know I can allow all IPs of jail in > access-control: a.b.c.d/32 allow > access-control: e.f.g.h/32 allow > > I am just curios if there is some way to get "primary" IP in jail > without calling anything from the host environment. > > Kind regards > Miroslav Lachman > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > From owner-freebsd-jail@freebsd.org Thu Feb 28 22:11:34 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 518A8151B8C6 for ; Thu, 28 Feb 2019 22:11:34 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:13b:39f::9f:25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3AC6B8C4FC for ; Thu, 28 Feb 2019 22:11:33 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 408448D4A175; Thu, 28 Feb 2019 22:11:24 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 53C89D24A23; Thu, 28 Feb 2019 22:11:23 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id KFMHmhR5JPk1; Thu, 28 Feb 2019 22:11:21 +0000 (UTC) Received: from [192.168.2.110] (unknown [IPv6:fde9:577b:c1a9:31:2ef0:eeff:fe03:ee34]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 98472D24A1A; Thu, 28 Feb 2019 22:11:21 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Miroslav Lachman" <000.fbsd@quip.cz> Cc: freebsd-jail@freebsd.org Subject: Re: how to determine primary (source) IP address in jail Date: Thu, 28 Feb 2019 22:11:21 +0000 X-Mailer: MailMate (2.0BETAr6135) Message-ID: In-Reply-To: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz> References: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 3AC6B8C4FC X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of bzeeb-lists@lists.zabbadoz.net designates 2a01:4f8:13b:39f::9f:25 as permitted sender) smtp.mailfrom=bzeeb-lists@lists.zabbadoz.net X-Spamd-Result: default: False [-6.10 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:13b:39f::9f:25]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[zabbadoz.net]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cross.sbone.de]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.98)[-0.985,0]; IP_SCORE(-2.80)[ip: (-9.38), ipnet: 2a01:4f8::/29(-2.41), asn: 24940(-2.20), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 22:11:34 -0000 On 28 Feb 2019, at 10:58, Miroslav Lachman wrote: > Is there some easy way to determine the primary (source) address which > is used in jail with multiple IP addresses? > > I came to this problem with running local_unbound in jail. Unbound > refuses queries originating in this jail because the do not come from > real 127.0.0.1 (which is the only one allowed by default). Unbound in > jail see requests come from jails IP. It is easy to determine (in > shell script) if jail has only one IP. > But what in case where jail has multiple IPs? Is there some sysctl or > some call to ifconfig or any other util to get the IP which will be > used as source address for queries on local services in jail? Bind the listen socket of the local unbound to any IP of your jail and other services (unless the source port got bound) will select the same IP address as the destination if both are in the same jail. > I know I can allow all IPs of jail in > access-control: a.b.c.d/32 allow > access-control: e.f.g.h/32 allow > > I am just curios if there is some way to get "primary" IP in jail > without calling anything from the host environment. Open a UDP socket; bind to 127.1; call getsockname; https://reviews.freebsd.org/D19218 is currently having a similar issue solving it exactly that way. There were people who in the past added a 127.{2,3,4,5,..} for each jail and then used that one instead of 127.1 but I’ve never been a huge fan of that, especially given one may run the resolver for other services outside that jail (maybe in others) as well and they need to be able to reach that in a reliable way. /bz From owner-freebsd-jail@freebsd.org Fri Mar 1 11:43:11 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52748151057B for ; Fri, 1 Mar 2019 11:43:11 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 558F172F02 for ; Fri, 1 Mar 2019 11:43:10 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id BE72C22115 for ; Fri, 1 Mar 2019 06:43:09 -0500 (EST) Received: from imap6 ([10.202.2.56]) by compute7.internal (MEProxy); Fri, 01 Mar 2019 06:43:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=message-id:in-reply-to:references:date:from:to:subject :content-type; s=fm1; bh=cr6J5TRC5AWgv4X57z31tSIGVFB5+A0mKsCO47z tDXs=; b=o6n02rLA3YTTvrMYUHjnCvzK2Lgtt4UtNLXvgQ4kQdIXhlySP4r71JB sgLrXAaS9hBH9X3YPEexqWL+wen+1fA5gs8JWyvYcsWuK2bLo8xbahI/XfE/cPoO EUVS58zA7phZcAP8dYb8zyBjl/WWoXzgOKYTGLBDVAl9ZABA4mRGVFLj0PBpgbeC nM6jifc5hmi9m6joipzJiRO/q6LF3hvhAGesnTdsptUl78l7UOxHj7vhG31xQpbk l8yVeQxopJ17vMAHFQmxUCIXnRIiw99hSX4dzbcZsLnAvlhov9PKtLk94BpdRitM HB4P2ImFDEVvTWMcEdB9gnQsAMJs2jQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:references:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=cr6J5TRC5AWgv4X57 z31tSIGVFB5+A0mKsCO47ztDXs=; b=o/jAN4fAw+beo+YkpASjm5JKkTLwt7peL AvnGtTrxb+w8APC2z+T+KhI1dDUKLfYJG78Z2AoJOUb0DP44Hy+QXDxaDxkM7/V9 g846jUTappUwWOhxmELwgQYdhjXT8k+3OhSv/qguCzUXHDsv4SjdcMYXS9a7SkA1 g2wsUQ8u3n2GD0+hNGoVWRZAHpuzJyDmzyHq3ypJxY8URRVjgUIZivZNNHyHnyVI 2MRY3t+aEJJVcZ9+QBgs8Zx4y9k5pPMmXzxZFlJijE4A/M/R1Fc3rQssHgQ72kje We/pu/gPRMmJUwDk8XfGcahNqbmCygVS22sZgmsIEKO+CTsmwOO0g== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrvdehgdefudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfkfgjfhffhffvufgtsehttdertd erredtnecuhfhrohhmpedfffgrvhgvucevohhtthhlvghhuhgsvghrfdcuoegutghhsehs khhunhhkfigvrhhkshdrrghtqeenucffohhmrghinhepnhhlnhgvthhlrggsshdrnhhlne curfgrrhgrmhepmhgrihhlfhhrohhmpegutghhsehskhhunhhkfigvrhhkshdrrghtnecu vehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 4028782678; Fri, 1 Mar 2019 06:43:09 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.1.5-925-g644bf8c-fmstable-20190228v5 X-Me-Personality: 20903217 Message-Id: <0439c792-dbb7-49cb-aed2-37aa9e5e1689@www.fastmail.com> In-Reply-To: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz> References: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz> Date: Fri, 01 Mar 2019 06:43:08 -0500 From: "Dave Cottlehuber" To: freebsd-jail@freebsd.org Subject: Re: how to determine primary (source) IP address in jail Content-Type: text/plain X-Rspamd-Queue-Id: 558F172F02 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=skunkwerks.at header.s=fm1 header.b=o6n02rLA; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=o/jAN4fA; spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 66.111.4.26 as permitted sender) smtp.mailfrom=dch@skunkwerks.at X-Spamd-Result: default: False [-6.40 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm1,messagingengine.com:s=fm2]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.26]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[4]; DMARC_NA(0.00)[skunkwerks.at]; DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+]; MX_GOOD(-0.01)[cached: in2-smtp.messagingengine.com]; NEURAL_HAM_SHORT(-0.95)[-0.945,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; IP_SCORE(-3.35)[ip: (-8.57), ipnet: 66.111.4.0/24(-4.60), asn: 11403(-3.51), country: US(-0.07)]; MID_RHS_WWW(0.50)[]; RCVD_IN_DNSWL_LOW(-0.10)[26.4.111.66.list.dnswl.org : 127.0.5.1] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Mar 2019 11:43:11 -0000 On Thu, 28 Feb 2019, at 11:59, Miroslav Lachman wrote: > Is there some easy way to determine the primary (source) address which > is used in jail with multiple IP addresses? I came to this problem with running local_unbound in jail. Unbound > refuses queries originating in this jail because the do not come from > real 127.0.0.1 (which is the only one allowed by default). Unbound in > jail see requests come from jails IP. It is easy to determine (in shell > script) if jail has only one IP. > But what in case where jail has multiple IPs? Is there some sysctl or > some call to ifconfig or any other util to get the IP which will be used > as source address for queries on local services in jail? Specifically for unbound, try interface-automatic and see if that helps. interface-automatic: Detect source interface on UDP queries and copy them to replies. This feature is experimental, and needs support in your OS for particular socket options. Default value is no. # /etc/unbound/conf.d/secure.conf server: interface-automatic: yes access-control: 127.0.0.0/8 allow access-control: 10.0.0.0/8 allow access-control: 0.0.0.0/0 refuse access-control: ::1/64 allow access-control: ::/8 refuse ... I dont use it quite the same way as you though, and it doesn't solve the generic problem. I run a single unbound instance in the host system, and only allow jails to resolve via that. https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/ A+ Dave