Date: Thu, 2 Jun 2016 23:15:31 +0200 From: Kai Gallasch <k@free.de> To: freebsd-jail@freebsd.org Cc: marquis@roble.com Subject: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready? Message-ID: <5750A1F3.8010000@free.de>
next in thread | raw e-mail | index | archive | help
On 01.06.2016 18:07 Roger Marquis wrote: > Ernie Luzar wrote: >> the kernel to included vimage. Enabling pf or ipf firewalls cause the >> host to crash. ipfw firewall does not cause a crash but has next to no >> real life usage on vimage. > Vimage gets little attention. Unfortunately the mapping of non-vimage > localhost interfaces to the primary external interface isn't noted > nearly enough either. These are weaknesses in bsd jails, the latter a > non-trivial security issue on many non-vimage systems considering > daemons like sendmail are installed and listening on "localhost" by > default.T Yes. If you startup a standard jail the jailed processes inside the jail that would normally bind to the loopback address 127.0.0.1 will bind to the ip address of the jail, thus being reachable from the outside of the jail.. But there is a workaround. On the jailhost you can clone an additional loopack interface (e.g. lo1) for exclusive jail usage. Assign to each jail an individual loopback address on this interface in addition to the jails ip address, like this: jailhost: igb0:10.10.10.100/24 | | jail1: ip4_addr:lo1|127.0.1.121,igb0|10.10.10.121/24 jail2: ip4_addr:lo1|127.0.1.122,igb0|10.10.10.121/24 ... .. If you start a jail configured on jail1, a sendmail process will happily bind to 127.0.1.121 as loopback and not to 10.10.10.121! not being exposed to the internet or lan. If you telnet - inside the jail1 - to localhost:25 you will receive the sendmail greeting. The way this workaround works jail2 has access to services bound to 127.0.1.121 on jail1, but this can be firewalled, if need be. (pf) block return in inet from 127.0.1.121 to !127.0.1.121 block return in inet from 127.0.1.122 to !127.0.1.122 Works for me. K. -- PGP-KeyID = 0x70654D7C4FB1F588 Internet of Things roadmap: 1) Put Linux on everything 2) Never update it
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5750A1F3.8010000>