From owner-freebsd-security@FreeBSD.ORG  Fri Aug 19 08:48:22 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9E67C16A41F
	for <freebsd-security@freebsd.org>;
	Fri, 19 Aug 2005 08:48:22 +0000 (GMT)
	(envelope-from pawmal-posting@freebsd.lublin.pl)
Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 39AFB43D48
	for <freebsd-security@freebsd.org>;
	Fri, 19 Aug 2005 08:48:21 +0000 (GMT)
	(envelope-from pawmal-posting@freebsd.lublin.pl)
Received: by shellma.zin.lublin.pl (Postfix, from userid 1018)
	id 0BA0E347E0B; Fri, 19 Aug 2005 10:46:47 +0200 (CEST)
Date: Fri, 19 Aug 2005 10:46:47 +0200
From: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
To: freebsd-security@freebsd.org
Message-ID: <20050819084647.GA53116@shellma.zin.lublin.pl>
References: <43049FB2.1030203@fsn.hu>
	<20050818224438.2084D70DBC6@mail.npubs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20050818224438.2084D70DBC6@mail.npubs.com>
User-Agent: Mutt/1.4.2i
Subject: Re: Closing information leaks in jails?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2005 08:48:22 -0000

On Thu, Aug 18, 2005 at 10:44:42PM +0000, Nate Nielsen wrote:

> netstat works, but it limits itself to the jail pretty well. In
> particular 'netstat -r' and friends  don't work. The normal 'netstat -a'
> only shows connections to the current jail. It does show the output from
> 'netstat -m' and those sort of things, but those say nothing over the
> network load of the current machine.

One can use bmon application in jail to graph network activity in real time,
for example:

% sysctl -a | grep jail
security.jail.set_hostname_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.sysvipc_allowed: 0
security.jail.getfsstatroot_only: 1
security.jail.allow_raw_sockets: 0
security.jail.chflags_allowed: 0
security.jail.jailed: 1
% id
uid=11226(pawmal) gid=10999(pawmal) groups=10999(pawmal)
% bmon
  #   Interface                RX Rate         RX #     TX Rate         TX #
....................................................................................
xxx (source: local)
  0   fxp0                       1.29KiB         23      32.51KiB         34
  1   lo0                      442.00B            2     442.00B            2
  2   vlan3                    660.00B           11      32.40KiB         27
  3   vlan4                    419.00B            5       0.00B            0
  4   vlan6                      0.00B            0       0.00B            0
  5   vlan9                      0.00B            0       0.00B            0


-- 
Paweł Małachowski