Date: Sun, 31 May 2009 14:47:16 -0700 From: "Justin G." <justin@sigsegv.ca> To: freebsd-jail@freebsd.org Subject: Re: Implications of allow_raw_sockets=1 Message-ID: <5da021490905311447ya99c484ucaeabc74e813f394@mail.gmail.com> In-Reply-To: <99c92b5f0905311149u4023d197s7302fae0b816d463@mail.gmail.com> References: <99c92b5f0905311149u4023d197s7302fae0b816d463@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, May 31, 2009 at 11:49 AM, Richard Noorlandt <lists.freebsd@gmail.com> wrote: > Hello everyone, > > I have a server running FreeBSD 7.1-RELEASE, which contains a bunch of > jails that run all kinds of network services. One of the jails is running > Nagios, which will monitor hosts in the network. The most straightforward > way to let Nagios decide if a host is up or down, is by pinging other > hosts. However, by default this won't work because the > security.jail.allow_raw_sockets sysctl is set to '0'. > > It would be nice if I was able to ping from the Nagios jail, but the risks > of setting security.jail.allow_raw_sockets=1 aren't really clear to me. > Some online searching suggests that the sysctl defaults to 0 because raw > sockets weren't fully virtualized in earlier versions of FreeBSD, but maybe > this has changed. Unfortunately I can't find a clear overview of the > security risks involved with allowing raw sockets. > > So, what are the exact security implications of allowing raw sockets inside > jails on FreeBSD 7.1? And is there a way to restrict raw sockets to > specific jails? > > Best regards, > > Richard > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > At this time there is no way to set allow_raw_sockets on a per-jail basis. Raw sockets can allow processes to sniff onto the network, craft malformed packets, execute DDoS attacks, inject packets, among other things.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5da021490905311447ya99c484ucaeabc74e813f394>