Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 24 Feb 2007 13:05:49 +0000
From:      "Jim Stapleton" <stapleton.41@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: problems with jail
Message-ID:  <80f4f2b20702240505o6c7f1e36r87389f645bc86238@mail.gmail.com>
In-Reply-To: <20070224055350.GA2587@idoru.cepheid.org>
References:  <80f4f2b20702231107p1cf7f4f3n5896aa7e8ef0ecaf@mail.gmail.com> <200702240408.40222.h.schmalzbauer@omnisec.de> <80f4f2b20702231921x603c759g9b143b24edfaa7d5@mail.gmail.com> <200702240430.09674.h.schmalzbauer@omnisec.de> <80f4f2b20702231936m9725099v6e638685273630f0@mail.gmail.com> <80f4f2b20702231943j3fea9f4fxb3919898ad4dfc21@mail.gmail.com> <20070224055350.GA2587@idoru.cepheid.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
OK, I managed to get it so something else wasn't grabbing *.*, dunno
what made that happen. What you said made me think "Hey, there was
something in the man pages about starting services", I figured I ought
test that out. So I did:




Pre-Jail process/netstat:
root@elrond 07:52:14 (0) /usr/ports  > ps -A | grep syslog
 2952  ??  Ss     0:00.08 /usr/sbin/syslogd -b 192.168.1.84
root@elrond 07:52:17 (0) /usr/ports  > ps -A | grep send
 5489  p2  S+     0:00.00 grep send
root@elrond 07:52:25 (0) /usr/ports  > ps -A | grep name
root@elrond 07:52:29 (0) /usr/ports  > ps -A | grep inet
root@elrond 07:52:31 (0) /usr/ports  > ps -A | grep ssh
 2474  ??  Is     0:00.01 /usr/sbin/sshd
 5498  p2  R+     0:00.00 grep ssh
sjss@elrond 07:51:08 (0) ~  > netstat -f inet -a; netstat -f inet6 -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  192.168.1.84.53971     nz-in-f83.google.http  ESTABLIS=
HED
tcp4       0      0  192.168.1.84.57400     oam-d17a.blue.ao.aol   ESTABLIS=
HED
tcp4       0      0  192.168.1.84.56522     205.188.7.124.aol      ESTABLIS=
HED
tcp4       0      0  192.168.1.84.50267     py-in-f83.google.http  ESTABLIS=
HED
tcp4       0      0  192.168.1.84.ssh       *.*                    LISTEN
tcp4       0      0  192.168.1.84.53732     ar-in-f83.google.http  ESTABLIS=
HED
udp4       0      0  192.168.1.84.syslog    *.*




starting jail
root@elrond 07:52:50 (0) /usr/ports  > jail /jail/
legolas@ameritech.net 192.168.1.85 /bin/sh /etc/rc
Loading configuration files.
legolas@ameritech.net
Setting hostname: legolas@ameritech.net.
Creating and/or trimming log files:.
ln: /dev/log: Operation not permitted
Starting syslogd.
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
Clearing /tmp (X related).
Starting local daemons:.
Updating motd.
Starting sshd.
Starting cron.
Local package initialization:.

Sat Feb 24 07:54:40 UTC 2007



Jailed port/binding list:
sjss@elrond 07:54:05 (0) ~  > netstat -f inet -a; netstat -f inet6 -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  192.168.1.85.smtp      *.*                    LISTEN
tcp4       0      0  192.168.1.85.ssh       *.*                    LISTEN
tcp4       0      0  192.168.1.84.58735     nz-in-f83.google.http  ESTABLIS=
HED
tcp4       0      0  192.168.1.84.57400     oam-d17a.blue.ao.aol   ESTABLIS=
HED
tcp4       0      0  192.168.1.84.56522     205.188.7.124.aol      ESTABLIS=
HED
tcp4       0      0  192.168.1.84.50267     py-in-f83.google.http  ESTABLIS=
HED
tcp4       0      0  192.168.1.84.ssh       *.*                    LISTEN
tcp4       0      0  192.168.1.84.53732     ar-in-f83.google.http  ESTABLIS=
HED
udp4       0      0  192.168.1.85.syslog    *.*
udp4       0      0  192.168.1.84.syslog    *.*



Issue not confused, but it did give me some "try this" tests.
Unfortunately I still cant connect to anything outside of the jail,
not even to the host.
SSHing into jail does not work, into host does.
root@elrond 07:54:40 (0) /usr/ports  > jail /jail/ legolas 92.168.1.85 /bin=
/csh
%ssh -x 192.168.1.84
^C

And as a last test I should have thought of before:
root@elrond 07:59:13 (0) /usr/ports  > sysctl security.jail.allow_raw_socke=
ts
security.jail.allow_raw_sockets: 1
root@elrond 07:59:26 (0) /usr/ports  > jail /jail/ legolas 92.168.1.85 /bin=
/csh
%ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
^C
--- 127.0.0.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
%ifconfig
nve0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ether 00:13:d4:2e:2f:62
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=3D108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384


oh, and for testing purposes, I unhid everything in /jail/dev
root@elrond 08:04:20 (0) /usr/ports  > devfs rule -s 666 show
100 path acd* hide
200 path ad10* hide
300 path audio* hide
400 path dsp* hide
500 path apm* hide
600 path dev* hide
700 path geom* hide
800 path kmem* hide
900 path mem* hide
1000 path nfs* hide
1100 path pci* hide
1200 path nvidia* hide
1300 path snd* hide
1400 path sysmouse* hide
1500 path ukbd0* hide
1600 path usb* hide
1700 path ums* hide
1800 path net* mode 755
1900 path ata* hide
2000 path atkbd* hide
2100 path kbd* hide
2200 path fd* hide
2300 path fid* hide
2400 path net* mode 777
2500 path show
2600 path * unhide



Still no luck. Thanks everyone for all the help, hopefully this is
enough information to indicate the problem.

-Jim Stapleton







> sockstat (referenced at the end of the netstat man page) will show you
> process names/ports.
>
> To get any given service to work inside the jail, that IP:Port must
> not be bound anywhere else, but it must be bound within the jail.
> That is, you need an sshd listening on the host machine port 22, and
> a separate sshd listening on the jail port 22.  The same applies for
> every service you want to run in both machines.
>
> This can get confusing, too.  It's generally best to always explicitly
> limit services by IP on the host, even if you have no intention of
> running the same service in a jail.  This will prevent
> confusion--imagine that you are wanting to run a webserver on the
> host, but not the jail (for some weird reason).  If apache is
> listening on all IPs that the host has, it will be listening on the
> jail IP, using the host filesystem.
>
> Hope that didn't confuse the issue or anything.
>
>
>
> On Sat, Feb 24, 2007 at 03:43:58AM +0000, Jim Stapleton wrote:
> > addendum, I fixed syslogd by adding this to my rc.conf:
> > syslogd_flags=3D"-b 192.168.1.84"
> >
> > However, looking through netstat's man page, I couldn't find the name
> > of the flag (if it exists) that will show the process name. Does that
> > require a different tool?
> >
> > Thank you,
> > -Jim Stapleton
> >
> >
> >
> > On 2/24/07, Jim Stapleton <stapleton.41@gmail.com> wrote:
> > >OK, I have a fairly sizeable list, but it looks like most stuff is
> > >bound to 192.168.1.84 except two things, one is closed, and the other
> > >is syslog (guess I have to look at it's man page). It also looks like
> > >there is something else there. I guess I'll be looking at the netstat
> > >man page to figure out how to get the name of the daemon touch it:
> > >
> > > > netstat -f inet -a; netstat -f inet6 -a
> > >Active Internet connections (including servers)
> > >Proto Recv-Q Send-Q  Local Address          Foreign Address        (st=
ate)
> > >tcp4       0      0  192.168.1.84.57256     ar-in-f18.google.http
> > >ESTABLISHED
> > >tcp4       0      0  192.168.1.84.62237     caim-m05b.blue.a.aol
> > >TIME_WAIT
> > >tcp4       0      0  192.168.1.84.58627     oam-d17a.blue.ao.aol
> > >TIME_WAIT
> > >tcp4       0      0  192.168.1.84.64265     205.188.7.124.aol
> > >TIME_WAIT
> > >tcp4       0      0  192.168.1.84.ssh       *.*                    LIS=
TEN
> > >tcp4       0      0  *.*                    *.*                    CLO=
SED
> > >tcp4       0      0  192.168.1.84.61774     ar-in-f19.google.http
> > >ESTABLISHED
> > >tcp4       0      0  192.168.1.84.53732     ar-in-f83.google.http
> > >ESTABLISHED
> > >udp4       0      0  *.syslog               *.*
> > >Active Internet connections (including servers)
> > >Proto Recv-Q Send-Q  Local Address          Foreign Address        (st=
ate)
> > >udp6       0      0  *.syslog               *.*
> > >
> > >
> > >
> > >On 2/24/07, Harald Schmalzbauer <h.schmalzbauer@omnisec.de> wrote:
> > >> Am Samstag, 24. Februar 2007 04:21 schrieb Jim Stapleton:
> > >> > I did the ssh after you did the previous mail, but it didn't fix t=
he
> > >> > problem.
> > >> >
> > >> > I'm not having problems senmail or named, they were simply mention=
ed
> > >> > in the man page. I never had named running, and I didn't realize
> > >> > sendmail was running. The latter was my problem with sendmail. Tha=
t
> > >> > problem as I said is fixed. Beyond that I don't even know which
> > >> > process on my system are daemons at this point, except usbd and de=
vd,
> > >> > neither of which (to my knowledge) should be listening to any sock=
ets.
> > >> > Actually there are a couple of kernel processes (pagedaemon, vmdae=
mon,
> > >> > and bufdaemon), but I don't know where to find documentation on th=
em,
> > >> > X, and KDM. I can't find anything on limiting sockets of these to =
a
> > >> > specific IP only.
> > >>
> > >> To see what daemons are listening you can use 'netstat -f inet -a'. =
Then
> > >you
> > >> see if you have to limit some other daemons (use -f inet6 for IPv6 i=
f
> > >> configured).
> > >>
> > >> Please post the output of the command above to see why you get ssh
> > >connections
> > >> to your jail IP answered by the host's ssh daemon.
> > >>
> > >> -Harry
> > >>
> > >> --
> > >> OmniSEC  -  UNIX und Windows Netzwerke - Sicher
> > >> Harald Schmalzbauer
> > >> Flintsbacher Str. 3
> > >> 80686 M=FCnchen
> > >> +49 (0) 89 18947781
> > >> +49 (0) 160 93860101
> > >>
> > >
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd=
.org"
>



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?80f4f2b20702240505o6c7f1e36r87389f645bc86238>