From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 13:50:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29CAC37B401 for ; Mon, 14 Jul 2003 13:50:48 -0700 (PDT) Received: from conure.mail.pas.earthlink.net (conure.mail.pas.earthlink.net [207.217.120.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DC6443FB1 for ; Mon, 14 Jul 2003 13:50:47 -0700 (PDT) (envelope-from vjones62@earthlink.net) Received: from beaker.psp.pas.earthlink.net ([207.217.78.247]) by conure.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 19cAHX-00047p-00 for freebsd-security@freebsd.org; Mon, 14 Jul 2003 13:50:47 -0700 Received: from [207.217.78.201] by EarthlinkWAM via HTTP; Mon Jul 14 13:50:45 PDT 2003 Message-ID: <1868570.1058215847119.JavaMail.nobody@beaker.psp.pas.earthlink.net> Date: Mon, 14 Jul 2003 13:49:20 -0400 (EDT) From: "V. Jones" To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Web Access Mail version 3.0 Subject: Re: Re: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 20:50:48 -0000 > > > No, no, no! > > > > You first need to realize how kernel will choose listen socket. > > If you bind to port 22 on main host with INADDR_ANY, you get this > > INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY > > it will be translated to jail's ip. Now if there is open port outside > > jail and inside some jail it is opened as well, guess which socket will > > be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel > > translate them to jail's ip). So from security point of view if someone > > will break into your jail, he is able to spoof your sshd (let's forget > > for a moment about server keys), your mail server or anything else > > and get your password for example. > > Good point. I forgot to mention that you should bind daemons running > outside the jails explicitly to the server's IP address. This > circumvents the problem you've pointed out. But I agree with you that > people would be less likely to shoot themselves in the foot if the > kernel took care of things in this situation. > Oh - okay. The directions I followed in "Absolute BSD" had me configure all Daemons so that they only listened on the main ip address. Is this what you guys are talking about it? Actually, the book said the jailed server wouldn't even start if this wasn't done. For example, in my /etc/ssh/sshd_config: ListenAddress x.x.x.8 >