From owner-freebsd-doc@FreeBSD.ORG Tue Aug 26 15:33:43 2014 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 53DCBC2B; Tue, 26 Aug 2014 15:33:43 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id DADC63460; Tue, 26 Aug 2014 15:33:42 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s7QFXe1E000405 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 26 Aug 2014 09:33:40 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s7QFXehE000402; Tue, 26 Aug 2014 09:33:40 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Tue, 26 Aug 2014 09:33:40 -0600 (MDT) From: Warren Block To: John Baldwin Subject: Re: ezjail Handbook section In-Reply-To: <1494646.V9dtS3rr7D@ralph.baldwin.cx> Message-ID: References: <1494646.V9dtS3rr7D@ralph.baldwin.cx> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Tue, 26 Aug 2014 09:33:40 -0600 (MDT) Cc: freebsd-doc@freebsd.org X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Aug 2014 15:33:43 -0000 On Mon, 25 Aug 2014, John Baldwin wrote: > On Wednesday, August 20, 2014 05:30:12 PM Warren Block wrote: >> On Wed, 20 Aug 2014, Warren Block wrote: >>> On Wed, 20 Aug 2014, John Baldwin wrote: >>>> On Tuesday, August 19, 2014 6:01:54 pm Warren Block wrote: >>>>> On Mon, 4 Aug 2014, Warren Block wrote: >>>>>> Draft version of an ezjail section for the Handbook Jails chapter: >>>>>> http://www.wonkity.com/~wblock/jails/jails-ezjail.html >>>>>> >>>>>> This includes a complete setup at the end for running BIND in a jail. >>>>>> In addition to a complete jail example, it can also serve as an example >>>>>> of >>>>>> how to set up BIND now that the old chroot configuration is no more. >>>>> >>>>> Asking for review again of the final version at the link above. If >>>>> there are no major complaints in the next few days, it will be >>>>> committed. >>>> >>>> It's not clear to me if you need lo1? If you are using aliases on an >>>> external >>>> interface as you would with a traditional jail then I think you don't >>>> need >>>> the >>>> lo1 interface? >>> >>> It's there to keep jails from being involved with lo0 on the host. But I >>> admit the explanation is fuzzy, and will seek clarification. >> >> Updated. It now says: >> >> To keep jail loopback traffic off the host's loopback network >> interface lo0, a second loopback interface is created by adding >> an entry to /etc/rc.conf:... > > I guess my question was more "why?" This isn't ezjail-specific, and neither > of the other two jail tutorials in this chapter mention lo1. If having lo1 is > important, then we should explain why and probably do so in the first jail > example and then apply it consistently in all the jail examples. They "why" > should detail if this is an optional "nice to have" or if this is "critical to > security and apps can break out of jails otherwise". My assumption is the > former, but seeing it documented as a mandatory step in the ezjail config > implies the latter to me. It is not required, but (as I understand it), can prevent problems with the host seeing jail loopback traffic. I'm attempting to find an example which shows how the problem appears.