Date: Sat, 17 Jan 2004 19:52:18 +0300 (MSK) From: Andrew Kolchoogin <andrew@rinet.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/61483: Jail security is not honored using IP Filter Message-ID: <20040117165218.4D2C9459@mowgli.rinet.ru> Resent-Message-ID: <200401171700.i0HH0TMV096548@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 61483 >Category: kern >Synopsis: Jail security is not honored using IP Filter >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jan 17 09:00:29 PST 2004 >Closed-Date: >Last-Modified: >Originator: Andrew Kolchoogin >Release: FreeBSD 4.9-RELEASE-p1 i386 >Organization: Cronyx Plus LLC >Environment: System: FreeBSD mowgli.rinet.ru 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #3: Fri Dec 19 19:18:12 MSK 2003 andrew@mowgli.rinet.ru:/usr/src/sys/compile/UNIX i386 >Description: Although there is no ability to see IP firewall rules set up using FreeBSD 'standard' ipfw package, alternate firewall toolkit -- ipf -- doesn't honor jail security: ipfstat -io/ipnat -l works fine even inside jail. >How-To-Repeat: 1) Set up any jail: mkdir /usr/jail cd /usr/src make buildworld make DESTDIR=/usr/jail installworld cd etc make DESTDIR=/usr/jail distribution 2) Run shell inside jail: jail /usr/jail localhost 127.0.0.1 /bin/tcsh 3) Start 'ipfstat' command: ipfstat -io And you will see all of your IP filter rules set up outside jail. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040117165218.4D2C9459>