From owner-freebsd-security@FreeBSD.ORG Fri Dec 19 10:21:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40B1416A4D0 for ; Fri, 19 Dec 2003 10:21:19 -0800 (PST) Received: from konvergencia.hu (konvergencia.hu [195.228.254.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C08A43D2D for ; Fri, 19 Dec 2003 10:20:27 -0800 (PST) (envelope-from mkenyeres@konvergencia.hu) Received: from [127.0.0.25] (helo=localhost) by konvergencia.hu with esmtp (Exim 4.10) id 1AXPFz-0001Iy-00 for security@FreeBSD.org; Fri, 19 Dec 2003 18:21:47 +0000 Received: from konvergencia.hu ([127.0.0.25]) by localhost (kavegep.konvergencia.hu [127.0.0.25]) (amavisd-new, port 10024) with ESMTP id 02813-08 for ; Fri, 19 Dec 2003 19:21:46 +0100 (CET) Received: from 103.65-182-adsl-pool.axelero.hu ([81.182.65.103] helo=nerd.kvg.hu) by konvergencia.hu with asmtp (TLSv1:RC4-MD5:128) (Exim 4.10) id 1AXPFy-0001It-00 for security@FreeBSD.org; Fri, 19 Dec 2003 18:21:46 +0000 From: Marton Kenyeres Organization: KVG Konvergencia Kft. To: security@FreeBSD.org Date: Fri, 19 Dec 2003 19:20:39 +0100 User-Agent: KMail/1.5.4 References: <20031219162648.GA76539@blurp.one.pl> <20031219193645.759a4dbe.list@ostankino.ru> <20031219164713.GA76661@blurp.one.pl> In-Reply-To: <20031219164713.GA76661@blurp.one.pl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200312191920.39141.mkenyeres@konvergencia.hu> X-Virus-Scanned: by amavisd-new at konvergencia.hu Subject: Re: Configuring JAIL to bind on lo0 interface X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2003 18:21:19 -0000 On Friday 19 December 2003 17.47, GiZmen wrote: > > > Can anybody help me with that problem. For now i set it up on external > > > IP and everythig is okej. But i want to have this jail on diffrent > > > iface that is not an external iface and is set for example on > > > 127.0.0.10. > > > > You should probably use a real ip for jail, not from 127.0.0.0/8. > > So there is no chance to set it up on 127.0.0.0/8 and have access to > internet ? I wanted to have some daemons listenig on aliased IP on lo0 > iface. And then set up few rules on firewall to forward traffic from > external IP to those ip on lo0 interface. > > > THX You need to nat and reverse-nat between the external and loopback interface, something along the lines: /etc/ipnat.conf: #allow the outside word to connect to named running in the jail rdr fxp0 x.x.x.x/32 port 53 -> 127.0.0.53 port 1053 tcp/udp #allow named to talk to the outside word map fxp0 127.0.0.53/32 -> x.x.x.x/32 Change fxp0 to your network interface, x.x.x.x to your real ip. If you wan't to use the name server only from your local machine, you don't need the first rule. Note that I like to run named as an unpriviledged user (a little more paranoia :) and let it bound to a high-port (1053 in this case), but that's not strictly necessary. Consult named.conf(5) and su(1) on how to do this. Remember: in the case of ipf/ipnat nat-ing hapens _before_ packet filtering, so allow rules will look something along the lines of: pass in quick on fxp0 proto tcp from any to 127.0.0.53 port = 1053 flags S keep state pass in quick on fxp0 proto udp from any to 127.0.0.53 port = 1053 keep state That might look a bit strange at first, but if you get the nat-ing right, it's OK. (Someone please correct me ASAP, if it isn't :) HTH, m. -- Marton Kenyeres - mkenyeres@konvergencia.hu KVG Konvergencia Kft.