From owner-freebsd-questions@FreeBSD.ORG Tue Jun 5 10:23:14 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6156A16A400 for ; Tue, 5 Jun 2007 10:23:14 +0000 (UTC) (envelope-from davidn04@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.236]) by mx1.freebsd.org (Postfix) with ESMTP id 0A25413C447 for ; Tue, 5 Jun 2007 10:23:13 +0000 (UTC) (envelope-from davidn04@gmail.com) Received: by wr-out-0506.google.com with SMTP id 69so960990wra for ; Tue, 05 Jun 2007 03:23:13 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gLNBIfkCakNt8f37ldbX23+Ny10dfBUV03ddVbqmgS2LXMxxWFkNW9qbZ7Oh7NAfWHTYDZnXP4PZGJlV/UkcwL79tMG+Izs8u003LUGMAJlPEhkpfAb4XQbpEbJSMQCyM3AUhAQzm+k9nNFlpo0YQOcD7PzwuFnXPJqNZAkAZA8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UeDvZ2Vu1WEKiOKOzNLKPOF9aZhcJ7LQL9ySg6Zn/4JIps1K1wPRV69+OEh/McWuIa9cLFLuDORA0jQYY2VHynYNICP+LEFfBJ3EXWMAtb+JRSFhWWm+IpsFz7IgQedMvIqzfTIXoMbe7ThVF41yYDEnjtFihzScyBjMotefXDo= Received: by 10.90.71.3 with SMTP id t3mr4600621aga.1181038993045; Tue, 05 Jun 2007 03:23:13 -0700 (PDT) Received: by 10.90.120.10 with HTTP; Tue, 5 Jun 2007 03:23:13 -0700 (PDT) Message-ID: <4d7dd86f0706050323u51ae9576wbff4fe51810e2267@mail.gmail.com> Date: Tue, 5 Jun 2007 20:23:13 +1000 From: "David N" To: "Paul Fraser" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070604113945.GA15154@schottelius.org> <4d7dd86f0706041940w21dfb3f9xaf19d629a75ad023@mail.gmail.com> Cc: FreeBSD-Questions Mailing List Subject: Re: isc-dhcp3-server in a jail? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 10:23:14 -0000 On 05/06/07, Paul Fraser wrote: > On 6/5/07, David N wrote: > > To get isc-dhcpd in a jail you need to give the jail access to /dev/bpf0 > > > > so you have to edit /etc/defaults/devfs.rules > > add to the end the unhide rules for bpf eg. > > [devfsrules_unhide_bpf=5] > > add path bpf0 unhide > > > > [devfsrules_dhcp_jail=6] > > add include $devfsrules_hide_all > > add include $devfsrules_unhide_basic > > add include $devfsrules_unhide_login > > add include $devfsrules_unhide_bpf > > > > then in your /etc/rc.conf add > > jail__defs_ruleset="devfsrules_dhcp_jail" > > > > and restart the jail. > > Thank you very much David, that's done the trick! I much prefer having > dhcpd sitting in a jail along with a few other network services. > > Cheers, > > P. > > -- > Regards, > > Paul Fraser > http://furyc0de.net/ > np, for the life of me i couldn't get isc-dhcpd working in jails at all without the bpf0. I tried all the jail patches and everything. Its the only way i found it to work. But it does mean that if the dhcpd gets compromised, they'll have control of the bpf0, not really sure what it does though =) I'm glad it worked out though Cheers David N