From owner-freebsd-jail@FreeBSD.ORG Sun May 31 22:10:29 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B704B10656A3 for ; Sun, 31 May 2009 22:10:29 +0000 (UTC) (envelope-from justin@sigsegv.ca) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.28]) by mx1.freebsd.org (Postfix) with ESMTP id 810D68FC22 for ; Sun, 31 May 2009 22:10:29 +0000 (UTC) (envelope-from justin@sigsegv.ca) Received: by yx-out-2324.google.com with SMTP id 8so3739765yxb.13 for ; Sun, 31 May 2009 15:10:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.151.122.9 with SMTP id z9mr10214983ybm.196.1243806456190; Sun, 31 May 2009 14:47:36 -0700 (PDT) In-Reply-To: <99c92b5f0905311149u4023d197s7302fae0b816d463@mail.gmail.com> References: <99c92b5f0905311149u4023d197s7302fae0b816d463@mail.gmail.com> From: "Justin G." Date: Sun, 31 May 2009 14:47:16 -0700 Message-ID: <5da021490905311447ya99c484ucaeabc74e813f394@mail.gmail.com> To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Implications of allow_raw_sockets=1 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 May 2009 22:10:30 -0000 On Sun, May 31, 2009 at 11:49 AM, Richard Noorlandt wrote: > Hello everyone, > > I have a server running FreeBSD 7.1-RELEASE, which contains a bunch of > jails that run all kinds of network services. One of the jails is running > Nagios, which will monitor hosts in the network. The most straightforward > way to let Nagios decide if a host is up or down, is by pinging other > hosts. However, by default this won't work because the > security.jail.allow_raw_sockets sysctl is set to '0'. > > It would be nice if I was able to ping from the Nagios jail, but the risks > of setting security.jail.allow_raw_sockets=1 aren't really clear to me. > Some online searching suggests that the sysctl defaults to 0 because raw > sockets weren't fully virtualized in earlier versions of FreeBSD, but maybe > this has changed. Unfortunately I can't find a clear overview of the > security risks involved with allowing raw sockets. > > So, what are the exact security implications of allowing raw sockets inside > jails on FreeBSD 7.1? And is there a way to restrict raw sockets to > specific jails? > > Best regards, > > Richard > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > At this time there is no way to set allow_raw_sockets on a per-jail basis. Raw sockets can allow processes to sniff onto the network, craft malformed packets, execute DDoS attacks, inject packets, among other things.