Date: Sun, 30 Nov 2008 17:32:28 +0100 From: Frank Behrens <frank@harz.behrens.de> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-jail@freebsd.org Subject: Re: Anyone interested in jail patches? Message-ID: <4932C01C.4020609@harz.behrens.de> In-Reply-To: <20081129165714.E61259@maildrop.int.zabbadoz.net> References: <200811272118.mARLIdKH006580@post.behrens.de> <20081129165714.E61259@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Bjoern A. Zeeb wrote: > On Thu, 27 Nov 2008, Frank Behrens wrote: >> On the other side I still read in the patched jail(2) man page: >> "Similarly, it might be a good idea to add an address alias flag such >> that daemons listening on all IPs (INADDR_ANY) will not bind on that >> address...". Can you explain the current behaviour? > > I think this question is related to your PR kern/84215. Yes. > The current situation is: jails take precendence. So if sshd is > listening on inaddr_any on the host and on inaddr_any inside a jail > the connection to an IP belonging to a jail will end up inside the > jail; any connections to IPs not beloning to jails will end up on the > base. So we have now the desired behaviour. Your explanation should replace the (now incorrect) sentence in the man page. Please excuse my error, it is in jail(8), not jail(2). > Obviously if you stop the jail and ssh to a former jail IP you'll end > up on the bsae system and ssh would complain about different keys > possibly while telnet or similar things won't notice. This is expected and not easily to circumvent. Regards, Frank
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4932C01C.4020609>