From owner-freebsd-security@FreeBSD.ORG  Tue Jul 15 00:19:04 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CF98537B401
	for <freebsd-security@freebsd.org>;
	Tue, 15 Jul 2003 00:19:04 -0700 (PDT)
Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 36D7D43F93
	for <freebsd-security@freebsd.org>;
	Tue, 15 Jul 2003 00:19:04 -0700 (PDT)
	(envelope-from gemini@geminix.org)
Message-ID: <3F13AAE4.9020506@geminix.org>
Date: Tue, 15 Jul 2003 09:19:00 +0200
From: Uwe Doering <gemini@geminix.org>
Organization: Private UNIX Site
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "V. Jones" <vjones62@earthlink.net>
References: <1868570.1058215847119.JavaMail.nobody@beaker.psp.pas.earthlink.net>
In-Reply-To: <1868570.1058215847119.JavaMail.nobody@beaker.psp.pas.earthlink.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256)
	(Exim 3.36 #1)
	id 19cK5V-0006oq-00; Tue, 15 Jul 2003 09:19:01 +0200
cc: freebsd-security@freebsd.org
Subject: Re: jails, ipfilter & stunnel
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2003 07:19:05 -0000

V. Jones wrote:
>>Good point.  I forgot to mention that you should bind daemons running
>>outside the jails explicitly to the server's IP address.  This
>>circumvents the problem you've pointed out.  But I agree with you that
>>people would be less likely to shoot themselves in the foot if the
>>kernel took care of things in this situation.
> 
> Oh - okay.  The directions I followed in "Absolute BSD" had me configure
> all Daemons so that they only listened on the main ip address.  Is this
> what you guys are talking about it?  Actually, the book said the jailed
> server wouldn't even start if this wasn't done.
> 
> For example, in my /etc/ssh/sshd_config:
> 
> ListenAddress x.x.x.8

Yes, this is the way to do it.

    Uwe
-- 
Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
gemini@geminix.org  |  http://www.escapebox.net