From owner-freebsd-jail@FreeBSD.ORG Sun May 31 19:06:17 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7288106566B for ; Sun, 31 May 2009 19:06:17 +0000 (UTC) (envelope-from lists.freebsd@gmail.com) Received: from mail-bw0-f166.google.com (mail-bw0-f166.google.com [209.85.218.166]) by mx1.freebsd.org (Postfix) with ESMTP id 3782C8FC13 for ; Sun, 31 May 2009 19:06:16 +0000 (UTC) (envelope-from lists.freebsd@gmail.com) Received: by bwz10 with SMTP id 10so893503bwz.19 for ; Sun, 31 May 2009 12:06:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=OXu9zXDTzzemH+8XuqxNs8emuDcuI5uMDsX8eDZK94Q=; b=PazDoQ+fyC0ytvUYwxxO2RISdEAQOSuwOAmwY9ML1Omv0tQs7VFCnSXg1X50g8Nkow 2CbTPWjURIPbQdK1500KSSuaSoTgq53z8YxiaDyxM9cqHPFFDRUPRS9i9bmfSyRcIdlR IXkCRngj1ifpqNPR2Dg9iE1sXyY4lSJsKxQxU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=ko8VMH7UzHrG3470Aq410uNxqBvRg52F7euMmv6FBvd95tfn/9WRXhYHaGD19beMtH jekIlaXATWbPTBl+k4G8/T3r1ALc1ETYmOrHn9lHpZ7uXRVDI1KE7Ky33T/bo9Ft51G9 HTbm4rnbJkCpQ57C5jZdwBe8hNUer5+p4h6kU= MIME-Version: 1.0 Received: by 10.204.100.71 with SMTP id x7mr4910315bkn.130.1243795787957; Sun, 31 May 2009 11:49:47 -0700 (PDT) Date: Sun, 31 May 2009 20:49:47 +0200 Message-ID: <99c92b5f0905311149u4023d197s7302fae0b816d463@mail.gmail.com> From: Richard Noorlandt To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Implications of allow_raw_sockets=1 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 May 2009 19:06:17 -0000 Hello everyone, I have a server running FreeBSD 7.1-RELEASE, which contains a bunch of jails that run all kinds of network services. One of the jails is running Nagios, which will monitor hosts in the network. The most straightforward way to let Nagios decide if a host is up or down, is by pinging other hosts. However, by default this won't work because the security.jail.allow_raw_sockets sysctl is set to '0'. It would be nice if I was able to ping from the Nagios jail, but the risks of setting security.jail.allow_raw_sockets=1 aren't really clear to me. Some online searching suggests that the sysctl defaults to 0 because raw sockets weren't fully virtualized in earlier versions of FreeBSD, but maybe this has changed. Unfortunately I can't find a clear overview of the security risks involved with allowing raw sockets. So, what are the exact security implications of allowing raw sockets inside jails on FreeBSD 7.1? And is there a way to restrict raw sockets to specific jails? Best regards, Richard