Date: Sun, 31 May 2009 20:49:47 +0200 From: Richard Noorlandt <lists.freebsd@gmail.com> To: freebsd-jail@freebsd.org Subject: Implications of allow_raw_sockets=1 Message-ID: <99c92b5f0905311149u4023d197s7302fae0b816d463@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello everyone, I have a server running FreeBSD 7.1-RELEASE, which contains a bunch of jails that run all kinds of network services. One of the jails is running Nagios, which will monitor hosts in the network. The most straightforward way to let Nagios decide if a host is up or down, is by pinging other hosts. However, by default this won't work because the security.jail.allow_raw_sockets sysctl is set to '0'. It would be nice if I was able to ping from the Nagios jail, but the risks of setting security.jail.allow_raw_sockets=1 aren't really clear to me. Some online searching suggests that the sysctl defaults to 0 because raw sockets weren't fully virtualized in earlier versions of FreeBSD, but maybe this has changed. Unfortunately I can't find a clear overview of the security risks involved with allowing raw sockets. So, what are the exact security implications of allowing raw sockets inside jails on FreeBSD 7.1? And is there a way to restrict raw sockets to specific jails? Best regards, Richard
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99c92b5f0905311149u4023d197s7302fae0b816d463>