Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 31 May 2005 16:30:37 +0200
From:      Jeremie Le Hen <jeremie@le-hen.org>
To:        Harald Schmalzbauer <harry@schmalzbauer.de>
Cc:        freebsd-current@freebsd.org
Subject:   Re: unwanted packet forwarding / PR candidate?
Message-ID:  <20050531143037.GM54337@obiwan.tataz.chchile.org>
In-Reply-To: <200505310934.43162@harrymail>
References:  <200505310934.43162@harrymail>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Harald,

> in a previous e-mail I described some problems with multihomed 
> jail-systems. But there is another general problem.
> 
>                              INET
>      |-----------|            |         |---------|
>      |  Box A    |       |----A---|     |  Box B  |
>      |if0     if1|       | Router |     |----v----|
>      |-v-------v-|       |-v----v-|          |
>        |       |    DMZ    |    |            |
>        |       |-----|-----|    |            |
>        |                        |            |
>        |------------------------|------------|
>                     LAN
> 
> If you look at the diagram you see Box A with two interfaces, if0
> (172.16.0.2) for 172.16/16 at the LAN and let's say 192.168.0.2 on if1 for 
> the DMZ (192.168.0/24). The IP(s) of if1 is(are) bound to jail(s)!
> Now when I connect from BoxB(172.16.0.3) to a jail running on 
> BoxA(192.168.0.2) the outgoing packets go over the router into the DMZ. 
> But when I add a static route to BoxB which tells 192.168.0/24 172.16.0.2 
> (BoxA if0) I can connect to the jail running on BoxA via the if0 
> interface, even if I haven't enabled forwarding on BoxA.
> This is a big security hole IMHO.
> Should I file a PR for that?

Both if0 IP addresses and if1 ones belongs to BoxA, the fact that the
IP address assigned to if1 is bound to a jail does not care.  In fact
there could be processes outside of the jail which listens on
192.168.0.2.  This is the intended behaviour.
When BoxA receives a packet addressed to one of its IP address on some
interface, whichever interface it is, the latter is accepted unless
net.inet.ip.check_interface is set to 1.

The fact that you set this route on BoxB just sets the destination MAC
address of the packet destinated to 192.168.0.2 to if0's one.


Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050531143037.GM54337>