Date: Wed, 27 Dec 2006 17:01:02 +0100 From: Gergely CZUCZY <phoemix@harmless.hu> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, freebsd-net@freebsd.org Subject: Re: [fbsd] Re: jail addresses and default bindings Message-ID: <20061227160102.GA43151@harmless.hu> In-Reply-To: <20061227155638.GG2187@obiwan.tataz.chchile.org> References: <20061216094004.GA24480@harmless.hu> <20061216100556.T91892@maildrop.int.zabbadoz.net> <20061227155638.GG2187@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 27, 2006 at 04:56:38PM +0100, Jeremie Le Hen wrote: > On Sat, Dec 16, 2006 at 10:13:00AM +0000, Bjoern A. Zeeb wrote: > > >this way it's hard to distingvish in a packet filter(let's say pf), > > >among connections originating from within the jail itself or > > >from the host system to the jail. > >=20 > > I won't ask why you would want to do that if you control it > > from the "host" system anyway... >=20 > Additionally, ipfw(8) has the "jail" keyword, though it is easier to > work with IP addresses since jail ids are bumped whenever you restart > a jail. yes, i know. but it's not just the packet filter itself. this way i cannot make separate access control rules in PostgreSQLs configuration file which treats differently injail and host system connections, since both have the same originating IP address. i was pointed out to use sshd_config's bind directive, and netcat's -s, but in most client libraries i don't have this flexibility. clients tend to bind to IPADDR_ANY and leave the details to the IP stack itself. they just need to connect, doesn't select IP addresses to bind to. libpq (postgres's client library) doesn't offer this flexilbity, nor any other client libs i know at the moment. you cannot even configure a web broser(links, opera, firefox, etc) and tell it to which IPs it can use for browsing proposes and which ones are out of it's limits (for an example some addresses are held for jails). Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owFVVU2IHEUUXhPMocBDwKPgYy/ZYbvbnv1nkqiTbIgrUVcTCOoh1HS/nq6d6qpO VfX2djx6UchBchI8GA8eBAUFQU9C7uLBm0fx5FH8OfuqemYny8AM0/V+vu9736v+ 5LnzK+cu/vLt9++vP3z02TPfXPhusl41zqlpXHFzLFQ8TNNhvLU53KbveDdNt7fy ItvkKd/YTvduPPr0p+taOVQuvtPVOAKHJ+6lWnKhLkNWcmPRXW1cEe+xRdy+sLW2 wgmtRiCUFApPz+4YrmyBJr6hMp0LNR3B/UY7zOPaCOX4RCJjbym4i3kE+5jBxm4E G2m6A9xBujXa3hlt7h2+AespwY7gdTRYCYRbCK+hgtZQqRF7GajCbe76CsOdZYVh OhpujtJ07CukvsK1I41GwTiB9xAnywr0caWw0PIOhLtkgajm4DTkwjrCfSxsSeSA Q82zGToohHRo1iT6YEtZdTGI+kK80moKmVYKM6+KBW3EVCjuC0FhdAWtoG4KXIlw xIWklhZlQXF9hRDjD0ttHdjOOqw8mEV84sOubqQh+gBarS454HYGbdlBpxt60sic yCgXOPhMkkMU4ZCQOaN905B/2mzVd1tdtOOqIzGShHr1ncZ5HobMpewiEHXRru0N SCfbJ3tcqzDDrtWGhulK3UxJMupqAbkVaAgKlaHjWeAPB4fA89ygtUgSCpUtxMgt cIMwaaoaiUWJCo8p3WOnaMeNB87nSnRoCQ3MlG4TSnH9+JR2cNSQeB7bmZHNtU7Y ct6QceUTKj5DsFhzwx0CzzKCdqqWaSTBFIodkkpTg7ffvhUOCzFtKJ6E8Q2Q4Iqs BGeQO0vuKcj9tAmyY0IFdlzlZ8b6lE+iuQoTTeqU/Bg9emZ5hWcctNQtYUwQBQu1 pm0irXQTBt5Y4mHL/F6Pj/SYCGqbC+M7HWPkUTCFLuNerJg6B+UUVB5ZJgVBBikm hhvhWZOFvMXmmIRlhcQTMRFSuC6Zx5MPUIWdCc3o9+BwvL//zr3xm+8G1hIXlHJ0 JIVdWJoI0VSz2WI0/mHXj08hhlJzlSICgpagMAqk/2c9tGydMAJf34e1uh+WJZZn WHWDRSXQfkSBFQRWckKkIqa08TsANAs6Xibbudn8/eLBV7qik6TfrN5H5FbFFtYg I0FLV83EaOsvDKFmJLeu0fCIHGOw0CcR0CgGQSSHMmwmcemddHBo/RZR6TDWgmBR qdZ6J9RGE0Fi7jP7cK0wbA/zVtBFvw1SVCQtrBWBE+AJr2qyqiXoT8nnd65Eujd8 mPeqHZDBrnUYMXYTzRRlB9cfNNmDjlV06vQIpv3jJAuPX6VLs5Lel2XDWBz7e+Mu ovIWcrS4CdykP01Ydy3JC4Sf3gCV7a8n8prFhH30yvlnV/yLaPEWu3hu+uPK4y+e sK/H8h/255ftlR8e//3fzx8/eX7lc9HsZh9+9eLk1w/+ePjXCxd+//c3dvl/ =J0Ot -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061227160102.GA43151>