Date: Sat, 24 Oct 2020 11:50:05 +1100 From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> To: carlos antonio neira bustos <cneirabustos@gmail.com>, freebsd-net <freebsd-net@freebsd.org>, FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: Allow PING(8) in jails without raw socket access permissions Message-ID: <9ffe565d-65cb-cbfa-f0dc-189ee8d7215e@heuristicsystems.com.au> In-Reply-To: <CACiB22jQTwR=yJQG8hxBuVU=xbn-rpJ1PZVQ=7xPzEV8en90=A@mail.gmail.com> References: <CACiB22jQTwR=yJQG8hxBuVU=xbn-rpJ1PZVQ=7xPzEV8en90=A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 15/10/2020 9:00 am, carlos antonio neira bustos wrote: > Hello, > > I have currently a patch in review with jamie which is the current jail > maintainer and kyle evans, if anyone else could comment/review this patch : > https://reviews.freebsd.org/D26782 > > What has been done is the following : > > Raw socket access is allowed for ICMP protocol as is required by > PING(8) but option IP_HDRINCL is not allowed. to accomplish this > a new privilege PRIV_NETINET_ICMP_ACCESS has been added by default for > jails. > > > Bests > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > Thanks for the heads-up Carlos. I have a use for allowing only icmp traffic, so its beneficial. However I do agree with BZ that it should not be enabled by default, as it weakens the security model, enabling a broken jail to more easily enumerate the wider network environment.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9ffe565d-65cb-cbfa-f0dc-189ee8d7215e>