From owner-freebsd-net@FreeBSD.ORG Sat Dec 16 10:15:16 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1399916A412 for ; Sat, 16 Dec 2006 10:15:16 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 046F543CB4 for ; Sat, 16 Dec 2006 10:15:13 +0000 (GMT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id CB9B9200266; Sat, 16 Dec 2006 11:15:11 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id 41BDD20025F; Sat, 16 Dec 2006 11:15:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 7409F444889; Sat, 16 Dec 2006 10:13:01 +0000 (UTC) Date: Sat, 16 Dec 2006 10:13:00 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Gergely CZUCZY In-Reply-To: <20061216094004.GA24480@harmless.hu> Message-ID: <20061216100556.T91892@maildrop.int.zabbadoz.net> References: <20061216094004.GA24480@harmless.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de Cc: freebsd-net@freebsd.org Subject: Re: jail addresses and default bindings X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2006 10:15:16 -0000 On Sat, 16 Dec 2006, Gergely CZUCZY wrote: Hi, > whenever i try to connect to a port of a jail from the > host system, the kernel automaticly assigns the > jail's IP address as the source address to the socket. > > I'd assume that this is not a so welcomed behaviour, because it is because that's the way it always works with inet socket communitcation. Connect to the looback address and the source address will be the looback address; connect to any of the other "host addresses" and the source will be the same address (unless told to be a different one; see further down). > this way it's hard to distingvish in a packet filter(let's say pf), > among connections originating from within the jail itself or > from the host system to the jail. I won't ask why you would want to do that if you control it from the "host" system anyway... > my question is, are there any work in progress around this? > if it's going to be reviewed/fixed/etc, when will it going to > happen, and into which stable/release branch is it planned? No if you want that make sure your connections comes from the "host system" bind to the IP of the "host system" (or one of them). telnet -s, BindAddress of ssh, ... are your friends. -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT