From owner-freebsd-current@FreeBSD.ORG Tue May 31 07:34:47 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EABDD16A41C for ; Tue, 31 May 2005 07:34:47 +0000 (GMT) (envelope-from harry@schmalzbauer.de) Received: from flb.schmalzbauer.de (flb.schmalzbauer.de [62.245.232.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2794E43D54 for ; Tue, 31 May 2005 07:34:46 +0000 (GMT) (envelope-from harry@schmalzbauer.de) Received: from korso.flintsbach.schmalzbauer.de (korso.flintsbach.schmalzbauer.de [172.21.2.3]) by flb.schmalzbauer.de (8.13.1/8.13.1) with ESMTP id j4V7Yi8s095189 for ; Tue, 31 May 2005 09:34:44 +0200 (CEST) (envelope-from harry@cale.flintsbach.schmalzbauer.de) Received: from cale.flintsbach.schmalzbauer.de (cale.flintsbach.schmalzbauer.de [172.21.1.254]) by korso.flintsbach.schmalzbauer.de (Postfix) with ESMTP id B1A064205 for ; Tue, 31 May 2005 09:34:44 +0200 (CEST) Received: from cale.flintsbach.schmalzbauer.de (localhost [127.0.0.1]) by cale.flintsbach.schmalzbauer.de (8.13.3/8.13.3) with ESMTP id j4V7Yi8r020027 for ; Tue, 31 May 2005 09:34:44 +0200 (CEST) (envelope-from harry@cale.flintsbach.schmalzbauer.de) Received: from localhost (localhost [[UNIX: localhost]]) by cale.flintsbach.schmalzbauer.de (8.13.3/8.13.3/Submit) id j4V7YhLV020026 for freebsd-current@freebsd.org; Tue, 31 May 2005 09:34:43 +0200 (CEST) (envelope-from harry@cale.flintsbach.schmalzbauer.de) From: Harald Schmalzbauer To: freebsd-current@freebsd.org Date: Tue, 31 May 2005 09:34:32 +0200 User-Agent: KMail/1.8 X-Birthday: Oct. 6th 1972 X-CelPhone: +49 (0) 173 9967781 X-Tel: +49 (0) 89 18947781 X-Country: Germany X-Address: Munich, 80686 X-OS: FreeBSD MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1266032.q4CeGFgXrV"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200505310934.43162@harrymail> X-Mailman-Approved-At: Tue, 31 May 2005 11:57:25 +0000 Subject: unwanted packet forwarding / PR candidate? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 07:34:48 -0000 --nextPart1266032.q4CeGFgXrV Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hello, in a previous e-mail I described some problems with multihomed=20 jail-systems. But there is another general problem. INET |-----------| | |---------| | Box A | |----A---| | Box B | |if0 if1| | Router | |----v----| |-v-------v-| |-v----v-| | | | DMZ | | | | |-----|-----| | | | | | |------------------------|------------| LAN If you look at the diagram you see Box A with two interfaces, if0 (172.16.0.2) for 172.16/16 at the LAN and let's say 192.168.0.2 on if1 for= =20 the DMZ (192.168.0/24). The IP(s) of if1 is(are) bound to jail(s)! Now when I connect from BoxB(172.16.0.3) to a jail running on=20 BoxA(192.168.0.2) the outgoing packets go over the router into the DMZ.=20 But when I add a static route to BoxB which tells 192.168.0/24 172.16.0.2=20 (BoxA if0) I can connect to the jail running on BoxA via the if0=20 interface, even if I haven't enabled forwarding on BoxA. This is a big security hole IMHO. Should I file a PR for that? My particular problem now is that if I connect from BoxB to jail on BoxA=20 the answering-packets won't go over the router but instead sent directly=20 over the if0 back to the LAN. Any suggestions how to solve this? (fwd in=20 IPFW and route-to in PF, but I think this should be handled by the system=20 if jails are used). Is it possible (by design of jailes) to implement a dedicated interface for= =20 a jail? Thanks, =2DHarry --nextPart1266032.q4CeGFgXrV Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCnBOTBylq0S4AzzwRAuwdAJ4iSVmAR8yfhdlm2vcdrvlfvMVb2QCdH9/s P4tLHXpOlY44hpd88dcK/s4= =dzyC -----END PGP SIGNATURE----- --nextPart1266032.q4CeGFgXrV--