Date: Fri, 19 Jan 2018 13:30:59 +0100 From: Ole <ole@free.de> To: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> Cc: "Isaac (.ike) Levy" <ike@blackskyresearch.net>, freebsd-jail@freebsd.org, luke@solentwholesale.com Subject: Re: Jails routing and localhost Message-ID: <20180119133059.33f5bcf6.ole@free.de> In-Reply-To: <1c753990-e148-cfc9-4a82-997564ceff57@heuristicsystems.com.au> References: <20180118132304.3455fa43.ole@free.de> <1516303926.3867424.1240160096.44CF04A6@webmail.messagingengine.com> <1c753990-e148-cfc9-4a82-997564ceff57@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/9m=9awIGJvzL=okddLDyW=3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Dewayne, Fri, 19 Jan 2018 10:36:43 +1100 - Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>: > If you're paranoid, I also add a firewall rule to restrict traffic > from/to specific ports and IP's over lo0.=C2=A0 If you have anything > sensitive you might also consider this restriction.=C2=A0=C2=A0 Though I = would > recommend using "tcpdump -ni $INTERFACE" to learn how jails and > routing works in your environment.=C2=A0 I was surprised to observe: when > two jails are assigned IP's on their external interface the traffic > between, expecting to use their external interfaces, traverses lo0.=C2=A0 Until now I thought that Jails with two different /32 loopback addresses can not communicate over loopback. Because it is /32. But you are right. I need a firewall rule to block traffic between the jails. > PS Sadly there are many examples of ports using 127.0.0.1 instead of > localhost, there are 104 different files in the Samba 4.7 suite that > use 127.0.0.1 :/ Yes. I think there are two standards. On is like Isaac told RFC 3330. And the other one was "vote with the feet" and is localhost =3D 127.0.0.1 There is too many software with this address hardcoded. So it is a security feature that software will not bind to public IP by accident. I wonder why it is such a difference if the IP address of the host is /32 or not. And I cant' just change it to /24, because than I couldn't reach the other Server in this /24 Network. And some of them are also mine :-( Ole --Sig_/9m=9awIGJvzL=okddLDyW=3 Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaYeUGAAoJECWWkUao5JRQEhQQALn5ArkZ+27hP5+A873IYumN azTAmBpE3AtInFCb8xOsTv20IlvXeoEMjmZo6lfrE1IwiS/yyjNzQv+sx48KKuo7 I3ODHONQAf3W43+SWwoYhzFzFSpDChLgOSR6/d2oQrwExgK/eY8uInkoEycfUibB 8tcmLRKwrX/Te7EPfHq8khrEn++zKXfdi6Ew7m9jWS1WCnYjssLCPl4uyq9mLula eSHAkePDsZhDyXlpuB/OvTo25zLPHeQnFlOmHF4vQHf4yKPNxA5sEIx7c0Rzh6my KB4OTr9V3fVY5vRTVqAVab8swlNx8KzyETRF6J1atpP+Fk1U1XDoe266vdauqRbE GTBP+w4UPTV8sgXG8sQsa62a5Yko1snSqkSxpnd3gP0DS50WWCiVn+XJXRjT5wWD y1BgXN1DWTnu5P37wqSoPg7ajo8+7fuqEhRMudCuKTy9ODxQgEBjcO3BrOvmdU+p E2WCPHKWZVfe4BL3BV2FmBf7yjxKAXjmsSE+lMt15V08s38uZGEiAexb6wMeR9lt Wim4gNOK6YOnyy11R/5mTlTyx4Io9suwqepcTjsipyz8kr+msriLpDumYqbyujb+ D2A6PhfL/v1IT5qE/qSAl58XnYV6FXFgW6i8QwlugifEUhSF2FHzY2fBuq0+Gmit Kw4c09y7xKCJgDm2f4r3 =NIqr -----END PGP SIGNATURE----- --Sig_/9m=9awIGJvzL=okddLDyW=3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180119133059.33f5bcf6.ole>