Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 31 May 2003 09:44:08 +0200
From:      Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To:        Alexandr Kovalenko <never@nevermind.kiev.ua>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: jail && (ping && traceroute)
Message-ID:  <20030531074408.GP45118@garage.freebsd.pl>
In-Reply-To: <20030530143542.GA72040@nevermind.kiev.ua>
References:  <20030530143542.GA72040@nevermind.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 

--rZOkLKku1JyljZ3B
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, May 30, 2003 at 05:35:42PM +0300, Alexandr Kovalenko wrote:
+> I have 2 questions:
+>=20
+>  - where in code should I search for icmp socket binding prohibition in
+>    jail?;
+>  - what bad consequences will appear if I remove those checks and
+>    prohibition?.

This is nasty to allow all jailed process to open RAW sockets.
You can use CerbNG to allow only selected jailed process to open RAW socket.
General policy is here:

	http://cerber.sourceforge.net/policies/jailed-icmp.cb

but you can easly rewrite it to allow only selected process for this.

Project's page is here:

	http://cerber.sourceforge.net

And rest of policies:

	http://cerber.sourceforge.net/policies/

CerbNG works only on 4-STABLE systems for now and there will be soon
1.0-RC2 version, but I've started porting it to -CURRENT.

--=20
Pawel Jakub Dawidek                       pawel@dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

--rZOkLKku1JyljZ3B
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPthdSD/PhmMH/Mf1AQEJWAP/bjwoJ9e3oDeZN1Ab2V0qRdSh1T+JBJY7
1YzOtetjZMwU7e3jSAxNZ4rAlzpqC1htVKLf+tjSiSpS71xxctS/pFMo6VFVTXGF
kpThbz+YYEHTnrvQ456aMBw9/dZR9hiMdnh0qG6SNZbdBRorf1+zYab0KNWIazxm
bM+DjvL0tyM=
=iLaV
-----END PGP SIGNATURE-----

--rZOkLKku1JyljZ3B--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030531074408.GP45118>