From owner-freebsd-jail@FreeBSD.ORG Sun Nov 30 18:25:08 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DBAB106568A for ; Sun, 30 Nov 2008 18:25:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 18E7A8FC16 for ; Sun, 30 Nov 2008 18:25:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 8980541C65F; Sun, 30 Nov 2008 19:25:05 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id TiFBKnpaAOex; Sun, 30 Nov 2008 19:25:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 2D5B141C62D; Sun, 30 Nov 2008 19:25:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id D0D254448D5; Sun, 30 Nov 2008 18:22:34 +0000 (UTC) Date: Sun, 30 Nov 2008 18:22:34 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Frank Behrens In-Reply-To: <4932C01C.4020609@harz.behrens.de> Message-ID: <20081130181856.W61259@maildrop.int.zabbadoz.net> References: <200811272118.mARLIdKH006580@post.behrens.de> <20081129165714.E61259@maildrop.int.zabbadoz.net> <4932C01C.4020609@harz.behrens.de> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org Subject: Re: Anyone interested in jail patches? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Nov 2008 18:25:08 -0000 On Sun, 30 Nov 2008, Frank Behrens wrote: Hi, > Bjoern A. Zeeb wrote: >> On Thu, 27 Nov 2008, Frank Behrens wrote: >>> On the other side I still read in the patched jail(2) man page: >>> "Similarly, it might be a good idea to add an address alias flag such >>> that daemons listening on all IPs (INADDR_ANY) will not bind on that >>> address...". Can you explain the current behaviour? >> >> I think this question is related to your PR kern/84215. > Yes. > >> The current situation is: jails take precendence. So if sshd is >> listening on inaddr_any on the host and on inaddr_any inside a jail >> the connection to an IP belonging to a jail will end up inside the >> jail; any connections to IPs not beloning to jails will end up on the >> base. > So we have now the desired behaviour. Your explanation should replace > the (now incorrect) sentence in the man page. Please excuse my error, it is > in jail(8), > not jail(2). > >> Obviously if you stop the jail and ssh to a former jail IP you'll end >> up on the bsae system and ssh would complain about different keys >> possibly while telnet or similar things won't notice. > This is expected and not easily to circumvent. Yes it is. You don't bind your sshd (or whatever) to inaddr_any on the base system but an IP exclusive to the base system. If the jail is stopped, you'll get connection refused instead of an unexpected behaviour. So what is in the man page is not entirely wrong. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.