From owner-freebsd-net@FreeBSD.ORG Mon May 5 19:57:25 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DF5D37B401 for ; Mon, 5 May 2003 19:57:25 -0700 (PDT) Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05C1043F85 for ; Mon, 5 May 2003 19:57:24 -0700 (PDT) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 37587 invoked from network); 6 May 2003 03:16:14 -0000 Received: from babolo.ru (HELO cicuta.babolo.ru) (194.58.226.160) by ints.mail.pike.ru with SMTP; 6 May 2003 03:16:14 -0000 Received: (nullmailer pid 2251 invoked by uid 136); Tue, 06 May 2003 03:00:38 -0000 X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <20030505215919.GB392@nitro.dk> To: "Simon L. Nielsen" Date: Tue, 6 May 2003 07:00:38 +0400 (MSD) From: "."@babolo.ru X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1052190038.108778.2250.nullmailer@cicuta.babolo.ru> cc: freebsd-net@freebsd.org Subject: Re: To DNS serve, or not to X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 02:57:25 -0000 Checking application/pgp-signature: FAILURE -- Start of PGP signed section. > On 2003.05.06 01:41:32 +0400, "."@babolo.ru wrote: > > > .. in jails. > > This effectively protects from remote exploits > > (converts them to DOS) > > http://free.babolo.ru/ports/jailup/ > > for easy to use and adnministrate jail based > > services > > Looks interesting - do you have it avaible in some format which is > simpler to download than getting each file from the HTTP server ? (e.g > as tarballs of the dirs). cd /usp/ports env CVSROOT=anoncvs@cvs.pike.ru:/repo/ports cvs get devel/babolo-libmake env CVSROOT=anoncvs@cvs.pike.ru:/repo/ports cvs get jailup There are ports, they work as usual ports (depends on each other and another ports) actual distfiles can be found from ports above or env CVSROOT=anoncvs@cvs.pike.ru:/repo/jailup cvs get . in development. Usage: dedicate some file system for jail, mount it to /jail (or change in /usr/local/etc/jailup.conf) then to build jail: jailup bind8 relative-path hostname-for-jail ip-addr inspect and de-comment /etc/rc.conf, /etc/fstab, /usr/local/etc/jailup.rc mount and /usr/local/etc/rc.d/jailup.sh start named another jails controlled in the same manner. some jailups (ssh based or innd) instals strings in /etc/rc.local command 'jailup' without parameters just lists possible kinds and 'jailup kind' lists short help. Every string to control files installed commented. oh, sorry - patch: http://free.babolo.ru/patch/src.usr.sbin.jail.patch for jail(1) - base system has very primitive jail(1) You can not to replace system jail by patched command, but place it somewhere and change in /usr/local/etc/jailup.conf string jail=/usr/bin/jail for jail=/somewhere/jail I build, rebild and control hundrids different jails on 11 different servers - and jailup gives me time for life :-)