Date: Mon, 14 Jul 2003 12:39:50 -0400 (EDT) From: "V. Jones" <vjones62@earthlink.net> To: freebsd-security@freebsd.org Subject: Re: Re: jails, ipfilter & stunnel Message-ID: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net>
next in thread | raw e-mail | index | archive | help
>No, no, no! >You first need to realize how kernel will choose listen socket. >If you bind to port 22 on main host with INADDR_ANY, you get this >INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY >it will be translated to jail's ip. Now if there is open port outside >jail and inside some jail it is opened as well, guess which socket will >be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel >translate them to jail's ip). So from security point of view if someone >will break into your jail, he is able to spoof your sshd (let's forget >for a moment about server keys), your mail server or anything >and get your password for example. >You can check my patch for multiple ips in jails which also fix >sockets ordering behaviour. > For FreeBSD 4.x: > http://garage.freebsd.pl/mijail.tbz > http://garage.freebsd.pl/mijail.README > For FreeBSD 5.1-CURRENT: > http://garage.freebsd.pl/mijail5.tbz > http://garage.freebsd.pl/mijail5.README > http://garage.freebsd.pl/patches/mijail5.patch I have a feeling you're trying to tell me something important but I'm not understanding. Is this a problem only with ssh or with any server listening on a port? Does this problem occur when you share an ip address between two jailed servers or does it happen any time you use a jail? Would having ssh on a different port on each jail avoid the problem?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8213881.1058211676830.JavaMail.nobody>