Date: Thu, 2 Jun 2016 11:45:57 -0600 From: markham breitbach <markham@ssimicro.com> To: freebsd-jail@freebsd.org Subject: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready? Message-ID: <3392c787-6df5-5238-7de6-ad07d70442ae@ssimicro.com> In-Reply-To: <20160602162137.7A719E8E382@barracuda.ssimicro.com> References: <574f0851.ca0b620a.c7073.5becSMTPIN_ADDED_MISSING@mx.google.com> <574F54FC.3040203@gmail.com> <20160602162137.7A719E8E382@barracuda.ssimicro.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> I disagree with you about the security issue of using localhost. Runni= ng >> sendmail in a non-vimage jail using its default config listening on >> localhost is still contained in the jail. Localhost is internally >> converted to the jails assigned ip address by jail(8). > How is anything listening on localhost internally converted yet still > contained in the jail? I mean what is the mechanism and why sendmail b= ut not > other daemons? > >> Why do you think this is a non-trivial security issue? > telnet $jail 25 > ehlo ... > mail from: <...> > rcpt to: <...> > data > > Sendmail has never been a relatively secure app and DOS/DDOS and spam a= re > vulnerabilities but point taken. > > Problem is the localhost to external mapping impacts not just sendmail = but > named, postfix and anything else listing on 127.0.0.1. > > I think, perhaps, you misunderstand this issue. Inside a jail, lo0[127.0.0.1] is mapped directly to the primary IP address of a jail. For example, if you are building a typical public-facing web-hosting stack and you bind mysql to 127.0.0.1 expecting it to be only accessible to the localhost, you will be horribly surprised when you find you have just exposed your mysql server to the whole world. That is a terrible security issue because someone working as the system administrator for that web-host, should not need to be aware that 127.0.0.1 isn't really localhost for this particular host. localhost should behave according to spec, and should not just magically map loopback packets onto the public network. FTFRFC: 127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]. -M
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3392c787-6df5-5238-7de6-ad07d70442ae>