Date: Tue, 26 Aug 2014 09:33:40 -0600 (MDT) From: Warren Block <wblock@wonkity.com> To: John Baldwin <jhb@freebsd.org> Cc: freebsd-doc@freebsd.org Subject: Re: ezjail Handbook section Message-ID: <alpine.BSF.2.11.1408260930380.78298@wonkity.com> In-Reply-To: <1494646.V9dtS3rr7D@ralph.baldwin.cx> References: <alpine.BSF.2.11.1408041633520.34818@wonkity.com> <alpine.BSF.2.11.1408201206460.56309@wonkity.com> <alpine.BSF.2.11.1408201720480.93287@wonkity.com> <1494646.V9dtS3rr7D@ralph.baldwin.cx>
index | next in thread | previous in thread | raw e-mail
On Mon, 25 Aug 2014, John Baldwin wrote: > On Wednesday, August 20, 2014 05:30:12 PM Warren Block wrote: >> On Wed, 20 Aug 2014, Warren Block wrote: >>> On Wed, 20 Aug 2014, John Baldwin wrote: >>>> On Tuesday, August 19, 2014 6:01:54 pm Warren Block wrote: >>>>> On Mon, 4 Aug 2014, Warren Block wrote: >>>>>> Draft version of an ezjail section for the Handbook Jails chapter: >>>>>> http://www.wonkity.com/~wblock/jails/jails-ezjail.html >>>>>> >>>>>> This includes a complete setup at the end for running BIND in a jail. >>>>>> In addition to a complete jail example, it can also serve as an example >>>>>> of >>>>>> how to set up BIND now that the old chroot configuration is no more. >>>>> >>>>> Asking for review again of the final version at the link above. If >>>>> there are no major complaints in the next few days, it will be >>>>> committed. >>>> >>>> It's not clear to me if you need lo1? If you are using aliases on an >>>> external >>>> interface as you would with a traditional jail then I think you don't >>>> need >>>> the >>>> lo1 interface? >>> >>> It's there to keep jails from being involved with lo0 on the host. But I >>> admit the explanation is fuzzy, and will seek clarification. >> >> Updated. It now says: >> >> To keep jail loopback traffic off the host's loopback network >> interface lo0, a second loopback interface is created by adding >> an entry to /etc/rc.conf:... > > I guess my question was more "why?" This isn't ezjail-specific, and neither > of the other two jail tutorials in this chapter mention lo1. If having lo1 is > important, then we should explain why and probably do so in the first jail > example and then apply it consistently in all the jail examples. They "why" > should detail if this is an optional "nice to have" or if this is "critical to > security and apps can break out of jails otherwise". My assumption is the > former, but seeing it documented as a mandatory step in the ezjail config > implies the latter to me. It is not required, but (as I understand it), can prevent problems with the host seeing jail loopback traffic. I'm attempting to find an example which shows how the problem appears.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.11.1408260930380.78298>