From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 14:09:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9ECC537B401 for ; Mon, 14 Jul 2003 14:09:45 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id B216F43F93 for ; Mon, 14 Jul 2003 14:09:44 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id B72913ABB4C; Mon, 14 Jul 2003 23:15:18 +0200 (CEST) Date: Mon, 14 Jul 2003 23:15:18 +0200 From: Pawel Jakub Dawidek To: "V. Jones" Message-ID: <20030714211518.GD4973@garage.freebsd.pl> References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="qGW1X6pRZ+lkBpGQ" Content-Disposition: inline In-Reply-To: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org Subject: Re: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 21:09:45 -0000 --qGW1X6pRZ+lkBpGQ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 14, 2003 at 12:39:50PM -0400, V. Jones wrote: +> >You can check my patch for multiple ips in jails which also fix +> >sockets ordering behaviour. +>=20 +> > For FreeBSD 4.x: +> > http://garage.freebsd.pl/mijail.tbz +> > http://garage.freebsd.pl/mijail.README +> > For FreeBSD 5.1-CURRENT: +> > http://garage.freebsd.pl/mijail5.tbz +> > http://garage.freebsd.pl/mijail5.README +> > http://garage.freebsd.pl/patches/mijail5.patch +>=20 +> I have a feeling you're trying to tell me something important +> but I'm not understanding. Is this a problem only with ssh or=20 +> with any server listening on a port? Does this problem occur=20 +> when you share an ip address between two jailed servers or does=20 +> it happen any time you use a jail? Would having ssh on a=20 +> different port on each jail avoid the problem? No, because an attacker is able to spoof your daemons from main host or other jails. Even if you're binded to a valid IP (not INADDR_ANY) there could be always a chance to DoS existing daemon and reuse its port. My advice is simple: every jail and main host should have its own IP addres= s. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --qGW1X6pRZ+lkBpGQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPxMdZj/PhmMH/Mf1AQE4EQP9H1Q1ylhKJ+lPi8S7kZcI9jE1jK8Hneb0 4+MsrM/QEV0oKTnITtSqPwTGAJZsZrqDyWyeUAiErUeVJ8/m+KmfmCKvPq0c/B+T w/aEs2lLIA/jfZJfHbLr5vbD5RDTMV5jpkDdq4TDCJLYAlOs21OgEmpuyKocihtE WvAunBmJ3pY= =V02Q -----END PGP SIGNATURE----- --qGW1X6pRZ+lkBpGQ--