Date: Fri, 30 May 2003 14:07:15 -0700 From: "Mooneer Salem" <mooneer@translator.cx> To: "Alexandr Kovalenko" <never@nevermind.kiev.ua>, <freebsd-hackers@freebsd.org> Subject: RE: jail && (ping && traceroute) Message-ID: <FHEMJMOKKMJDGKFOHHEPIEHCHAAA.mooneer@translator.cx> In-Reply-To: <20030530143542.GA72040@nevermind.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, It involves allowing all applications inside the jail access to raw sockets. Raw sockets are also responsible for ipfw and other services; therefore, it may be prudent to add separate sysctl settings allowing/denying access to those. I have a patch that does allow raw sockets and allows people inside a jail to add ipfw rules for their own IP address(es), among other things. See http://msalem.translator.cx/dist/jail_separation.v7.patch (for 5.0-RELEASE). :) Thanks, -- Mooneer Salem GPLTrans: http://www.translator.cx/ lifeafterking.org: http://www.lifeafterking.org/ -----Original Message----- From: owner-freebsd-hackers@freebsd.org [mailto:owner-freebsd-hackers@freebsd.org]On Behalf Of Alexandr Kovalenko Sent: Friday, May 30, 2003 7:36 AM To: freebsd-hackers@freebsd.org Subject: jail && (ping && traceroute) [Please Cc: me on reply] Hello, I have 2 questions: - where in code should I search for icmp socket binding prohibition in jail?; - what bad consequences will appear if I remove those checks and prohibition?. Thanks in advance! -- NEVE-RIPE, will build world for food Ukrainian FreeBSD User Group http://uafug.org.ua/ _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FHEMJMOKKMJDGKFOHHEPIEHCHAAA.mooneer>