Date: Mon, 14 Jul 2003 20:29:23 +0200 From: Pawel Jakub Dawidek <nick@garage.freebsd.pl> To: Uwe Doering <gemini@geminix.org> Cc: "V. Jones" <vjones62@earthlink.net> Subject: Re: jails, ipfilter & stunnel Message-ID: <20030714182923.GB4973@garage.freebsd.pl> In-Reply-To: <3F110290.5060902@geminix.org> References: <3083978.1058049961635.JavaMail.nobody@scooter.psp.pas.earthlink.net> <3F110290.5060902@geminix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--pGYtDnN23/Duo+Aj Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jul 13, 2003 at 08:56:16AM +0200, Uwe Doering wrote: +> >I'm setting up a server where I plan to use Jails to improve security +> >I also have installed and am configuring ipfilter. Here are my=20 +> >questions: +> > +> >Because I'm using Jails, I will have to have multiple ip aliases on the +> >network interface. I will use ipfilter to specify what can go to each= =20 +> >of the addresses. (e.g., allow only incoming to port 80 on the jail=20 +> >running apache). =20 +>=20 +> You don't have to have multiple IP aliases for multiple jails. Or at=20 +> least there is no technical necessity for this (in FreeBSD 4.x, that is,= =20 +> don't kown about 5.x). If it's just about running server processes in= =20 +> their own jail (no port number conflicts) you can have all jails on the= =20 +> same IP address and do the IP filtering (if necessary at all in this=20 +> scenario) based on port numbers. No, no, no! You first need to realize how kernel will choose listen socket. If you bind to port 22 on main host with INADDR_ANY, you get this INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY it will be translated to jail's ip. Now if there is open port outside jail and inside some jail it is opened as well, guess which socket will be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel translate them to jail's ip). So from security point of view if someone will break into your jail, he is able to spoof your sshd (let's forget for a moment about server keys), your mail server or anything else and get your password for example. You can check my patch for multiple ips in jails which also fix sockets ordering behaviour. For FreeBSD 4.x: http://garage.freebsd.pl/mijail.tbz http://garage.freebsd.pl/mijail.README For FreeBSD 5.1-CURRENT: http://garage.freebsd.pl/mijail5.tbz http://garage.freebsd.pl/mijail5.README http://garage.freebsd.pl/patches/mijail5.patch +> >Another jailed server will run mail services (pop, smtp, imap). If=20 +> >I want to allow users to use web based email(over ssl of course), the= =20 +> >web server will have to communicate with the mail server. Is there= =20 +> >a chance of "information leakage" in this type of setup? +>=20 +> Only the information you transmit will leak. That is, you define the=20 +> information interchange between the jails, so pondering over the=20 +> consequences is on your plate, too. Just assume that each jail has been= =20 +> broken into by an intruder with evil intentions and ask yourself what=20 +> damage he can do with the data he can gather from the other jails.=20 +> Paranoia in action, as it were. ;-) If www pages don't have dynamic elements you can mount them as read-only with mount_null(8) for example. Only logs should be writable, but you need only one directory with 'schg' flag and touch(1)'ed log files inside with 'sappnd' flag. Note, that 'schg' and 'sappnd' can't be removed in jail even if securelevel is <=3D 0. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --pGYtDnN23/Duo+Aj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPxL2gz/PhmMH/Mf1AQHqEgP/dHhLsNtTEOTzKP9htmn7FjrymIisJi6n BktY7hj3/hxXKMNq/tou48ajhkgmxndqbTlNDKgNsZAEQGlNe7IGTrtfLnvsMjMj Nm4mxLuJtP/V7j/fNCSuQTYKh/6BzG1ZTnX6hAoIcJKYrP+NreN0Ojsrvy8xP+Ii mOWzqRcSocM= =X3bO -----END PGP SIGNATURE----- --pGYtDnN23/Duo+Aj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030714182923.GB4973>