Date: Fri, 24 Nov 2000 11:16:30 +0300 From: Ekaterina Ivannikova <kate@gutatelecom.ru> To: freebsd-security@freebsd.org Subject: Re: How to isolate jails from the host system ? Message-ID: <20001124111630.A2238@hub.all.yans.ru> In-Reply-To: <20001123212757.W27042@speedy.gsinet>; from Gerhard.Sittig@gmx.net on Thu, Nov 23, 2000 at 09:27:57PM %2B0100 References: <20001123174231.A4498@hub.all.yans.ru> <20001123212757.W27042@speedy.gsinet>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 23, 2000 at 09:27:57PM +0100, Gerhard Sittig wrote: > On Thu, Nov 23, 2000 at 17:42 +0300, Ekaterina Ivannikova wrote: > > > > It appeares that though processes in a jail are not allowed to > > bind to the host system's ip address, they are still assigned > > this ip address if they try to connect to daemons running on > > the host system. > > That's hard to believe. :) At least it contradicts the jail(2) > idea. Processes in jails can *only* bind to the IP assigned to > the jail. Not even 127.0.0.1 is available. > > Although there was (is?) a bug with UDP packets mistakenly being > sent _from_ the host's address under certain circumstances. But > a fix is available, search for "jail" in the gnats database. > I triped over this one. This is bug kern/20946, status closed, but it seems that the relevant patch did not make it into the -STABLE source. The patch may be found at http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/udp_usrreq.c.diff?r1=1.73&r2=1.74&f=u Thanx for your help, now it works as expected. Regards, Ekaterina Ivannikova To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001124111630.A2238>