Date: Fri, 23 Sep 2005 10:22:31 +0100 From: Brian Candler <B.Candler@pobox.com> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: freebsd-current@FreeBSD.org Subject: Re: jail's periodic stuff Message-ID: <20050923092231.GF94511@uk.tiscali.com> In-Reply-To: <20050922122113.GO24643@obiwan.tataz.chchile.org> References: <20050922122113.GO24643@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 22, 2005 at 02:21:13PM +0200, Jeremie Le Hen wrote: > there are some periodic script which shouldn't be run inside a jail, > because jail's restrictions would prevent the utility to work correctly. > This includes those that gathers statistics from various firewalls, > in security/ : > 510.ipfdenied > 520.pfdenied > 550.ipfwlimit > 600.ip6fwdenied > 610.ipf6denied > 650.ip6fwlimit ... > I would like to hear your comments on this and on the best way to solve > this problem. My first thought was to add > > % if [ `sysctl -n security.jail.jailed` -eq 1 ] > % then > % exit 0 > % fi > > just before the main case statement, but there may be smarter ways to > achieve this. A mechanism which already exists is to create /etc/periodic.conf within your jail, disabling the individual scripts you don't want to run. See /etc/defaults/periodic.conf for the settings available (or /usr/share/examples/etc/defaults/periodic.conf) However it might be a good idea for FreeBSD to provide a sample periodic.conf for use in a jail environment. Regards, Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050923092231.GF94511>