Date: Mon, 14 Jul 2003 13:49:20 -0400 (EDT) From: "V. Jones" <vjones62@earthlink.net> To: freebsd-security@freebsd.org Subject: Re: Re: Re: jails, ipfilter & stunnel Message-ID: <1868570.1058215847119.JavaMail.nobody@beaker.psp.pas.earthlink.net>
next in thread | raw e-mail | index | archive | help
> > > No, no, no! > > > > You first need to realize how kernel will choose listen socket. > > If you bind to port 22 on main host with INADDR_ANY, you get this > > INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY > > it will be translated to jail's ip. Now if there is open port outside > > jail and inside some jail it is opened as well, guess which socket will > > be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel > > translate them to jail's ip). So from security point of view if someone > > will break into your jail, he is able to spoof your sshd (let's forget > > for a moment about server keys), your mail server or anything else > > and get your password for example. > > Good point. I forgot to mention that you should bind daemons running > outside the jails explicitly to the server's IP address. This > circumvents the problem you've pointed out. But I agree with you that > people would be less likely to shoot themselves in the foot if the > kernel took care of things in this situation. > Oh - okay. The directions I followed in "Absolute BSD" had me configure all Daemons so that they only listened on the main ip address. Is this what you guys are talking about it? Actually, the book said the jailed server wouldn't even start if this wasn't done. For example, in my /etc/ssh/sshd_config: ListenAddress x.x.x.8 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1868570.1058215847119.JavaMail.nobody>