From owner-freebsd-arch@FreeBSD.ORG Mon Feb 28 21:12:29 2005 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB0FA16A4CE for ; Mon, 28 Feb 2005 21:12:29 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33D0643D46 for ; Mon, 28 Feb 2005 21:12:29 +0000 (GMT) (envelope-from fehwalker@gmail.com) Received: by wproxy.gmail.com with SMTP id 49so16810wri for ; Mon, 28 Feb 2005 13:12:28 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=WPhoVyFFt4GrYAJv0e3PhwncN3xdAQdcODqsUV+mVU7DD3Qc4rekisBBqB6DlVzty/TYcVLkgZzyhO9XZH11BbtjZjMkutvfQCTumrx/IXtyxmHeIud5msdo3cXEpa//HYfI/kRq2yl/KTG3HCaEm2wDfZxk/v4VubPn8QyUwcY= Received: by 10.54.17.14 with SMTP id 14mr64523wrq; Mon, 28 Feb 2005 13:12:28 -0800 (PST) Received: by 10.54.19.52 with HTTP; Mon, 28 Feb 2005 13:12:28 -0800 (PST) Message-ID: <35de0c300502281312617af051@mail.gmail.com> Date: Mon, 28 Feb 2005 16:12:28 -0500 From: Bryan Fullerton To: freebsd-arch@freebsd.org, freebsd-security@freebsd.org In-Reply-To: <20050228162548.GA57140@frontfree.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20050228162548.GA57140@frontfree.net> Subject: Re: bind() on 127.0.0.1 in jail: bound to the outside address? X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Bryan Fullerton List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 21:12:29 -0000 I'd noticed this as well, but assumed it was a feature. Given that there's only one IP inside the jail, how do you bind to a loopback IP that doesn't exist? I suspect the behavior you're seeing is another 'simple hack' to allow binding to the loopback IP to not just immediately fail with "unable to bind". If this isn't documented somewhere (I didn't bother to check, it made sense to me once I figured out what it was doing) it should be. I have noticed that documentation of jail in the handbook in general is a bit lacking, maybe I'll see if I can find time to look at that (heh). Bryan On Tue, 1 Mar 2005 00:25:48 +0800, Xin LI wrote: > Dear folks, > > It seems that doing bind() inside a jail (whose IP address is an outside > address), will result in some wierd behavior, that the actual bind is > done on the outside address. > > For example, binding to 127.0.0.1:6666 inside a jail addressed 192.168.1.1, > will finally result in a bind to 192.168.1.1:6666. With this in mind, > it is possible that some formerly secure configuration fail in jail > environment. > > It seems that our implementation will forward every loopback connection > to the outside address. A simple hack to work around this issue might > be to modify the individual bind procedures to treat prison case with > loopback address, but I'm not sure if a true solution can solve the > issue with minimum code change and code complexity. > > Your ideas are highly appreciated! > > Cheers, > -- > Xin LI http://www.delphij.net/ > See complete headers for GPG key and other information. > > >