From owner-freebsd-hackers@FreeBSD.ORG Wed Mar 2 22:25:07 2011 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9249F1065672 for ; Wed, 2 Mar 2011 22:25:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 441D88FC16 for ; Wed, 2 Mar 2011 22:25:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 9D89841C679; Wed, 2 Mar 2011 23:25:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id irGTxWviOAZR; Wed, 2 Mar 2011 23:25:06 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id DB94641C7A8; Wed, 2 Mar 2011 23:25:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 9C4DC4448FC; Wed, 2 Mar 2011 22:20:39 +0000 (UTC) Date: Wed, 2 Mar 2011 22:20:39 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Dirk Engling In-Reply-To: <4D5AC7F1.7020501@erdgeist.org> Message-ID: <20110302221932.T13400@maildrop.int.zabbadoz.net> References: <4D5AC7F1.7020501@erdgeist.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-hackers@freebsd.org Subject: Re: Detecting listening servers in multi-ip jails X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2011 22:25:07 -0000 On Tue, 15 Feb 2011, Dirk Engling wrote: > Hello, > > until jails could be bound to several ip addresses, my convenience > feature in ezjail to check for and warn about listening services in the > host system and other jails worked simply by asking: > > listeners_ip=`sockstat -4 -l | grep "${ip}:[[:digit:]]"` > listeners_all=`sockstat -4 -l | grep "*:[[:digit:]]"` > > Now where ip adresses are not rewritten on listen() calls anymore, > services in jails can bind to 0.0.0.0 as well and will match the latter, > although they don't really cause the trouble I want to warn users about > (unless, of course the jail really is bound to the same ip address and > the service then binds to 0.0.0.0). > > Now I can, using "nc -z", test if the service really listens. That > allows me to filter and only report those services that actually > respond. However, this is far from clean. > > Are there other ways to relibly test for listening services on any port > for a given ip address? get the pid and use a cross-check on the process; there is no easy way do it otherwise currently unless you write your own extensions needing kvm. /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.