From owner-freebsd-jail@FreeBSD.ORG  Wed Jan  4 10:41:17 2012
Return-Path: <owner-freebsd-jail@FreeBSD.ORG>
Delivered-To: freebsd-jail@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 33F84106566B
	for <freebsd-jail@freebsd.org>; Wed,  4 Jan 2012 10:41:17 +0000 (UTC)
	(envelope-from andrew.hotlab@hotmail.com)
Received: from dub0-omc1-s33.dub0.hotmail.com (dub0-omc1-s33.dub0.hotmail.com
	[157.55.0.232]) by mx1.freebsd.org (Postfix) with ESMTP id B954D8FC0A
	for <freebsd-jail@freebsd.org>; Wed,  4 Jan 2012 10:41:16 +0000 (UTC)
Received: from DUB112-DS6 ([157.55.0.237]) by dub0-omc1-s33.dub0.hotmail.com
	with Microsoft SMTPSVC(6.0.3790.4675); 
	Wed, 4 Jan 2012 02:41:15 -0800
X-Originating-IP: [81.174.54.98]
X-Originating-Email: [andrew.hotlab@hotmail.com]
Message-ID: <DUB112-DS661E1961C8FE913F2A372F6970@phx.gbl>
From: "Andrew Hotlab" <andrew.hotlab@hotmail.com>
To: "Nikos Vassiliadis" <nvass@gmx.com>
References: <DUB112-DS504AD88D198A4E9DA56ABAF6970@phx.gbl>
	<4F0413B1.3040308@gmx.com>
In-Reply-To: <4F0413B1.3040308@gmx.com>
Date: Wed, 4 Jan 2012 11:41:15 +0100
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3538.513
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3538.513
X-OriginalArrivalTime: 04 Jan 2012 10:41:15.0659 (UTC)
	FILETIME=[628065B0:01CCCACD]
Cc: FreeBSD-Jail <freebsd-jail@freebsd.org>
Subject: Re: jailed process listening on host addresses
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 10:41:17 -0000

-----Original Message----- 
From: Nikos Vassiliadis
Sent: Wednesday, January 04, 2012 9:54 AM
To: Andrew Hotlab
Cc: FreeBSD-Jail
Subject: Re: jailed process listening on host addresses

> On 1/4/2012 3:10 AM, Andrew Hotlab wrote:
> > I noticed a strange behavior some days ago, but I can't say how much
> > long it have been happening for. Some processes which are running in
> > different jails on the same host seems to be listening on all host IPs.
> >
> > It's happening on several host right now (all are running FreeBSD/amd64
> > 8.2-RELEASE-p5), with both UDP and TCP listeners. Any jail is using a
> > single unicast IP address. I really hope to miss something important...
> > or should I guess that these processes are "escaping" from the jails?! 
> > :S
> >
>
> Could you share more about your setup?
> ifconfig, jls, ps in the jail, commands given to create the jail...
> I tried to reproduce the problem on a amd64 8.2-RELEASE, without
> success.
>

Thank you Nikos, the following commands are executed on the host:

# ifconfig xl0
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82009<RXCSUM,VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 00:01:02:aa:9f:c2
        inet 172.19.2.48 netmask 0xffffff00 broadcast 172.19.2.255
        inet 172.19.2.49 netmask 0xffffffff broadcast 172.19.2.49
        inet 172.19.2.50 netmask 0xffffffff broadcast 172.19.2.50
        inet 172.19.2.51 netmask 0xffffffff broadcast 172.19.2.51
        inet 172.19.2.52 netmask 0xffffffff broadcast 172.19.2.52
        inet 172.19.2.53 netmask 0xffffffff broadcast 172.19.2.53
        inet 172.19.2.54 netmask 0xffffffff broadcast 172.19.2.54
        inet 172.19.2.55 netmask 0xffffffff broadcast 172.19.2.55
        inet 172.19.2.56 netmask 0xffffffff broadcast 172.19.2.56
        inet 172.19.2.57 netmask 0xffffffff broadcast 172.19.2.57
        inet 172.19.2.58 netmask 0xffffffff broadcast 172.19.2.58
        inet 172.19.2.59 netmask 0xffffffff broadcast 172.19.2.59
        inet 172.19.2.60 netmask 0xffffffff broadcast 172.19.2.60
        inet 172.19.2.61 netmask 0xffffffff broadcast 172.19.2.61
        inet 172.19.2.62 netmask 0xffffffff broadcast 172.19.2.62
        inet 172.19.2.63 netmask 0xffffffff broadcast 172.19.2.63
        media: Ethernet autoselect (100baseTX 
<full-duplex,flowcontrol,rxpause,txpause>)
        status: active

# jls | grep 172.19.2.50
    5  172.19.2.50     rjpbx01            /usr/jails/rjpbx01

# jexec 5 /usr/local/etc/rc.d/asterisk start
Starting asterisk.

# sockstat -4l | grep asterisk
931      asterisk   91780 11 udp4   172.19.2.50:5060      *:*
931      asterisk   91780 12 tcp4   172.19.2.50:2000      *:*
931      asterisk   91780 18 tcp4   172.19.2.50:1720      *:*
931      asterisk   91780 19 udp4   172.19.2.50:2727      *:*
931      asterisk   91780 22 udp4   172.19.2.50:4569      *:*
931      asterisk   91780 23 udp4   *:*                   *:*
931      asterisk   91780 24 udp4   172.19.2.50:4520      *:*


I think there might be a problem with specific processes (in this case, 
asterisk), because if I run several other commands (for example the nc(1) 
you showed me), all is working as expected.
Until now, I noticed this behavior with these processes: unfsd, rpcbind, 
asterisk, transmission-daemon, mDNSResponderPosix.

I'll try to test the same daemons in a jail with another version of FreeBSD 
as soon as possible. I will also verify whether these daemon are really 
listening on all IP addresses, by analyzing some traffic with tcpdump(1).

Andrew