From owner-freebsd-current@FreeBSD.ORG Tue May 31 14:30:45 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DF2016A41C for ; Tue, 31 May 2005 14:30:45 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B67E43D53 for ; Tue, 31 May 2005 14:30:44 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-2.free.fr (Postfix) with ESMTP id E03BE31DA8F; Tue, 31 May 2005 16:30:43 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 846B94080; Tue, 31 May 2005 16:30:37 +0200 (CEST) Date: Tue, 31 May 2005 16:30:37 +0200 From: Jeremie Le Hen To: Harald Schmalzbauer Message-ID: <20050531143037.GM54337@obiwan.tataz.chchile.org> References: <200505310934.43162@harrymail> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200505310934.43162@harrymail> User-Agent: Mutt/1.5.9i Cc: freebsd-current@freebsd.org Subject: Re: unwanted packet forwarding / PR candidate? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 14:30:45 -0000 Hi Harald, > in a previous e-mail I described some problems with multihomed > jail-systems. But there is another general problem. > > INET > |-----------| | |---------| > | Box A | |----A---| | Box B | > |if0 if1| | Router | |----v----| > |-v-------v-| |-v----v-| | > | | DMZ | | | > | |-----|-----| | | > | | | > |------------------------|------------| > LAN > > If you look at the diagram you see Box A with two interfaces, if0 > (172.16.0.2) for 172.16/16 at the LAN and let's say 192.168.0.2 on if1 for > the DMZ (192.168.0/24). The IP(s) of if1 is(are) bound to jail(s)! > Now when I connect from BoxB(172.16.0.3) to a jail running on > BoxA(192.168.0.2) the outgoing packets go over the router into the DMZ. > But when I add a static route to BoxB which tells 192.168.0/24 172.16.0.2 > (BoxA if0) I can connect to the jail running on BoxA via the if0 > interface, even if I haven't enabled forwarding on BoxA. > This is a big security hole IMHO. > Should I file a PR for that? Both if0 IP addresses and if1 ones belongs to BoxA, the fact that the IP address assigned to if1 is bound to a jail does not care. In fact there could be processes outside of the jail which listens on 192.168.0.2. This is the intended behaviour. When BoxA receives a packet addressed to one of its IP address on some interface, whichever interface it is, the latter is accepted unless net.inet.ip.check_interface is set to 1. The fact that you set this route on BoxB just sets the destination MAC address of the packet destinated to 192.168.0.2 to if0's one. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >