From owner-freebsd-questions@freebsd.org Fri Jul 12 16:51:22 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B3AB15CFA1E for ; Fri, 12 Jul 2019 16:51:22 +0000 (UTC) (envelope-from antonfb@hesiod.org) Received: from styx.hesiod.org (paris-gw.ip6.hesiod.org [IPv6:2001:470:1f05:d1:ad:3141:0:7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hesiod.org", Issuer "hesiod.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4A92880F84 for ; Fri, 12 Jul 2019 16:51:21 +0000 (UTC) (envelope-from antonfb@hesiod.org) Received: from [192.168.1.128] (dhcp128.hesiod.org [192.168.1.128]) by styx.hesiod.org (8.15.2/8.15.2) with ESMTP id x6CGpIxM097783; Fri, 12 Jul 2019 09:51:19 -0700 (PDT) (envelope-from antonfb@hesiod.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hesiod.org; s=Jul19; t=1562950279; bh=8pCbHHFHNLEN1cXE/R7FszMp1DDlmPn3zwukdyIVVdE=; h=Subject:To:References:From:Cc:Date:In-Reply-To; b=pNn8lOpMrHf/VcVE6oeqasFwsbUpc54CsUofGyiUkxqzC8wFUi2o4s6txeYMXbeGA +osdEEcXGQmUv/qsyc42w868prQSyXv2eVcJ8vPfrjVkj0zl/tJPURj/kYrNVS/5rW nz3OWUgVO9a7vJxjZi1pWm/G4bW2qEEC45zuNusBmrXu1SIm7BzaF7XoO/fuXYudU9 syTMyO02RuGCq3IBGh3ZKiFcn6jof2A+LL2j8PZiEO5V9opt8b3zyj/p82B94Rf836 bmf1CFwSEUZDwj6rTsrzmBL8RHy0zV7blKl/vXzGtr4wkM7lpH1H5qARl7DaHS6CbY +D4rMkoxQpEmA== X-Authentication-Warning: paris.hesiod.org: Host dhcp128.hesiod.org [192.168.1.128] claimed to be [192.168.1.128] Subject: Re: p0f, bpf, and jail To: luzar722@gmail.com References: From: Jeff Anton Cc: freebsd-questions@freebsd.org Message-ID: <7dbb2c93-7903-0449-83f4-3c60abb7bf0b@hesiod.org> Date: Fri, 12 Jul 2019 09:51:26 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-Virus-Scanned: clamav-milter 0.101.1 at styx.hesiod.org X-Virus-Status: Clean Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jul 2019 16:51:22 -0000 This looks like what I dealt with trying to get dhcpd running in a jail.  It needs raw sockets and bpf.  Jails don't get those by default. The devices that are in a jail is setup from /etc/default/devfs.rules and you see there ruleset number 4 for jails. I needed a special devfs ruleset for my jail.  So I created /etc/devfs.rules with the following contents: [nsjailrules=5] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add path 'bpf*' unhide Then in my jail.conf for this jail I added:         allow.raw_sockets;         devfs_ruleset = 5; This allowed dhcpd to work in the jail!  Note that this opens a jail up to doing lots of bad stuff potentially, but it more about giving the minimum needed permissions to get dhcpd running.  It still far more restricted than running dhcpd outside of a jail. Jeff Anton ================================================================ Hello, I'm using FreeBSD 12 on amd64 hardware. p0f is passive os fingerprinting, what I'm wanting to do is determine by passively analyzing a connecting machines tcp stack what kind of machine it is, and based on that result add in an email header to the message. So, for example if someone connects to my system by means of an xp laptop and tries to send email, I'll know by that email header the type of connecting machine. Later down the antispam chain the antispam software can take an action most likely a silent drop, based on that header. Thanks. Dave. On 7/10/19, Ernie Luzar wrote: > David Mehler wrote: >> Hello, >> >> Is anyone using p0f in a jail on FreeBSD 12? I'm getting two errors >> one about bpf not being available, the other about how the jail is >> trying to sniff the host's network interface. The tcpdump-type >> expression is 'tcp dst 1515' >> >> Thanks. >> Dave. >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> > I see you have gotten no replies. This maybe to the lack of any details > provided by you. You will get better results if you provide details > about what your trying to do, what hardware you are using and what > version of FreeBSD you are running. BY default bpf is disabled for > jails. Have no idea what pof is. >