Date: Tue, 1 Mar 2005 00:25:48 +0800 From: Xin LI <delphij@frontfree.net> To: freebsd-arch@FreeBSD.org, freebsd-security@FreeBSD.org Subject: bind() on 127.0.0.1 in jail: bound to the outside address? Message-ID: <20050228162548.GA57140@frontfree.net>
next in thread | raw e-mail | index | archive | help
--KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dear folks, It seems that doing bind() inside a jail (whose IP address is an outside address), will result in some wierd behavior, that the actual bind is done on the outside address. For example, binding to 127.0.0.1:6666 inside a jail addressed 192.168.1.1, will finally result in a bind to 192.168.1.1:6666. With this in mind, it is possible that some formerly secure configuration fail in jail environment. It seems that our implementation will forward every loopback connection to the outside address. A simple hack to work around this issue might be to modify the individual bind procedures to treat prison case with loopback address, but I'm not sure if a true solution can solve the issue with minimum code change and code complexity. Your ideas are highly appreciated! Cheers, --=20 Xin LI <delphij frontfree net> http://www.delphij.net/ See complete headers for GPG key and other information. --KsGdsel6WgEHnImy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCI0YM/cVsHxFZiIoRAnqIAJ9POX6OwQUb9k8jOQcNmdyEanmutwCeLQaA rxIUQwv4OU3t2ziOu5defsQ= =li2c -----END PGP SIGNATURE----- --KsGdsel6WgEHnImy--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050228162548.GA57140>