Date: Sun, 30 Nov 2008 18:22:34 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Frank Behrens <frank@harz.behrens.de> Cc: freebsd-jail@freebsd.org Subject: Re: Anyone interested in jail patches? Message-ID: <20081130181856.W61259@maildrop.int.zabbadoz.net> In-Reply-To: <4932C01C.4020609@harz.behrens.de> References: <200811272118.mARLIdKH006580@post.behrens.de> <20081129165714.E61259@maildrop.int.zabbadoz.net> <4932C01C.4020609@harz.behrens.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 30 Nov 2008, Frank Behrens wrote: Hi, > Bjoern A. Zeeb wrote: >> On Thu, 27 Nov 2008, Frank Behrens wrote: >>> On the other side I still read in the patched jail(2) man page: >>> "Similarly, it might be a good idea to add an address alias flag such >>> that daemons listening on all IPs (INADDR_ANY) will not bind on that >>> address...". Can you explain the current behaviour? >> >> I think this question is related to your PR kern/84215. > Yes. > >> The current situation is: jails take precendence. So if sshd is >> listening on inaddr_any on the host and on inaddr_any inside a jail >> the connection to an IP belonging to a jail will end up inside the >> jail; any connections to IPs not beloning to jails will end up on the >> base. > So we have now the desired behaviour. Your explanation should replace > the (now incorrect) sentence in the man page. Please excuse my error, it is > in jail(8), > not jail(2). > >> Obviously if you stop the jail and ssh to a former jail IP you'll end >> up on the bsae system and ssh would complain about different keys >> possibly while telnet or similar things won't notice. > This is expected and not easily to circumvent. Yes it is. You don't bind your sshd (or whatever) to inaddr_any on the base system but an IP exclusive to the base system. If the jail is stopped, you'll get connection refused instead of an unexpected behaviour. So what is in the man page is not entirely wrong. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081130181856.W61259>