Date: Thu, 23 Nov 2000 21:27:57 +0100 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-security@freebsd.org Subject: Re: How to isolate jails from the host system ? Message-ID: <20001123212757.W27042@speedy.gsinet> In-Reply-To: <20001123174231.A4498@hub.all.yans.ru>; from kate@gutatelecom.ru on Thu, Nov 23, 2000 at 05:42:31PM %2B0300 References: <20001123174231.A4498@hub.all.yans.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 23, 2000 at 17:42 +0300, Ekaterina Ivannikova wrote:
>
> It appeares that though processes in a jail are not allowed to
> bind to the host system's ip address, they are still assigned
> this ip address if they try to connect to daemons running on
> the host system.
That's hard to believe. :) At least it contradicts the jail(2)
idea. Processes in jails can *only* bind to the IP assigned to
the jail. Not even 127.0.0.1 is available.
Although there was (is?) a bug with UDP packets mistakenly being
sent _from_ the host's address under certain circumstances. But
a fix is available, search for "jail" in the gnats database.
What you cannot defend against is processes in the host to bind
to IPs delegated into jails. But you don't run any services in
the host except for the jail(8)s, do you? There's no real need
to do so except for the administrative access sshd -- unless one
has a serial console ...
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001123212757.W27042>