Date: Tue, 20 Apr 2004 11:20:37 +0200 From: "Poul-Henning Kamp" <phk@phk.freebsd.dk> To: "Christian S.J. Peron" <maneo@bsdpro.com> Cc: freebsd-security@freebsd.org Subject: Re: [patch] Raw sockets in jails Message-ID: <14522.1082452837@critter.freebsd.dk> In-Reply-To: Your message of "Tue, 20 Apr 2004 01:56:38 -0000." <20040420015638.A84821@staff.seccuris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20040420015638.A84821@staff.seccuris.com>, "Christian S.J. Peron" w rites: > > Although RAW sockets can be used when specifying the source > address of packets (defeating one of the aspects of the jail) > some people may find it usefull to use utilities like ping(8) > or traceroute(8) from inside jails. > > Enclosed is a patch I have written which gives you the option > of allowing prison-root to create raw sockets inside the prison, > so that programs various network debugging programs like ping > and traceroute etc can be used. > > This patch will create the security.jail.allow_raw_sockets sysctl > MIB. I would appriciate any feed-back from testers > > See PR #: > http://www.freebsd.org/cgi/query-pr.cgi?pr=65800 Could you take a peek and see how hard it would be to enforce source-IP compliance with the jail restriction ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14522.1082452837>