From owner-freebsd-jail@FreeBSD.ORG Mon May 26 06:15:59 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02EA3106566C for ; Mon, 26 May 2008 06:15:59 +0000 (UTC) (envelope-from dgeo@ec-marseille.fr) Received: from tac.ec-marseille.fr (tac.ec-marseille.fr [147.94.19.13]) by mx1.freebsd.org (Postfix) with ESMTP id 9141F8FC12 for ; Mon, 26 May 2008 06:15:58 +0000 (UTC) (envelope-from dgeo@ec-marseille.fr) Received: from localhost (amavis2.serv.int [10.3.0.46]) by tac.ec-marseille.fr (IronQ 1024 STF) with ESMTP id 3DBE71D1D88; Mon, 26 May 2008 08:15:57 +0200 (CEST) X-Virus-Scanned: amavisd-new at ec-marseille.fr X-Amavis-Alert: BAD HEADER, MIME error: error: couldn't parse head; error near:; >> come back the same way; >>; >> I still don't know if this behaviour is the better one (one may think; >> that jail's packets should not go through different interface ?), but =; it; >> works quite well ;); [...] Received: from tac.ec-marseille.fr ([10.3.0.11]) by localhost (amavis2.egim-mrs.fr [10.3.0.46]) (amavisd-new, port 10024) with LMTP id jSjWEHG0-3Ex; Mon, 26 May 2008 08:15:57 +0200 (CEST) Received: from [10.0.3.10] (schizoII.ec-marseille.fr [147.94.19.24]) (Authenticated sender: dgeo) by tac.ec-marseille.fr (IronQ 1024 STF) with ESMTPSA id 7987F1D1C91; Mon, 26 May 2008 08:15:56 +0200 (CEST) Message-ID: <483A5593.60003@ec-marseille.fr> Date: Mon, 26 May 2008 08:15:47 +0200 From: Geoffroy DESVERNAY User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: Steven Hartland References: <822C1BB6-3591-4CE1-AFEA-8B07B9F5ED8D@pean.org><483556DB.9070602@quip.cz><08244555-5BD2-4F67-B311-CCC5E316A068@pean.org> <20080522165219.D47338@maildrop.int.zabbadoz.net> <8068148B75CB4B3E953144A0DF47E496@multiplay.co.uk> <4839CEFC.1050605@ec-marseille.fr> <1F08E6231F60497A9BF556590BB56E9A@multiplay.co.uk> In-Reply-To: <1F08E6231F60497A9BF556590BB56E9A@multiplay.co.uk> X-Enigmail-Version: 0.95.0 OpenPGP: id=017C80AA Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig616781BC0655B6DB3F81C8E3" Cc: freebsd-jail@freebsd.org Subject: Re: Jail resource limits X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 06:15:59 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig616781BC0655B6DB3F81C8E3 >> come back the same way >> >> I still don't know if this behaviour is the better one (one may think >> that jail's packets should not go through different interface ?), but = it >> works quite well ;) >=20 > Surely that compromises jail security i.e. being able to access > resources from the host box even it the jail has no perceivable > access to them? >=20 It have to be took in consideration before production time at least ;) > I assume this still doesn't work if the server is in fact run on > the main host only running on localhost? >=20 I think the main host is never 'only' on localhost, since you must add interfaces and addresses for the different jails it hosts, and those interfaces are used by host's routing table... The IP addresses you use for jails are usable by main host, and routing table of main host is used to route jail's packets... so any jail you host can use any other jail's route. (if you have only localhost on main an *only one* interface for all jour jails, it doesn't hurt). In our case, one of our jail host is using pf's 'route-to' to re-route packets going to 'forbidden' interface from jails. Regards, --=20 Geoffroy Desvernay Ecole Centrale de Marseille --------------enig616781BC0655B6DB3F81C8E3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIOlWaGbFYzwF8gKoRAisGAJ4zDNrDSAhOP6tFFNs2svDu9YNMCACffb5S 3eKr54rqyPAaNXHTddIQtDs= =fCmA -----END PGP SIGNATURE----- --------------enig616781BC0655B6DB3F81C8E3--