From owner-freebsd-security@FreeBSD.ORG Fri May 5 21:41:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 382F216A420 for ; Fri, 5 May 2006 21:41:20 +0000 (UTC) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E5E443D46 for ; Fri, 5 May 2006 21:41:19 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.11/8.12.11) with ESMTP id k45LfIPx081474; Fri, 5 May 2006 14:41:18 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.13.4/8.13.4) with ESMTP id k45Lfp42035288; Fri, 5 May 2006 14:41:52 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.13.4/8.13.4/Submit) with ESMTP id k45Lfmx8035284; Fri, 5 May 2006 14:41:49 -0700 (PDT) (envelope-from bigby@ephemeron.org) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Fri, 5 May 2006 14:41:48 -0700 (PDT) From: Bigby Findrake To: freebsd-security@freebsd.org, nospam@mgedv.net In-Reply-To: <200605041539.k44FdIpP046875@lurza.secnetix.de> Message-ID: <20060505142334.G26390@home.ephemeron.org> References: <200605041539.k44FdIpP046875@lurza.secnetix.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 21:41:20 -0000 On Thu, 4 May 2006, Oliver Fromme wrote: > > 192.168.10.1 = jail ip of the ws > > 127.0.0.1 = jail ip of the db > > Don't use those IPs. In particular it's probably not a > good idea to use localhost as a jail IP. Use only loopback > IPs (other than localhost), like the example that I wrote > above. I agree with Oliver here - there's a difference between using the loopback adapter and using the localhost (127.0.0.1) IP. I would strongly recommend against using localhost as a jail IP unless you have a specific reason *to* do that - in other words, just assign an alias to the loopback adapter and use that alias for the jail. One reason that comes to mind immediately in response to the unasked question, "why not use the loopback address for a jail?" is that using the loopback address for a jail makes it hard to seperate (for use by packet filters, for instance) host machine traffic from jail machine traffic. There are probably other good reasons for *not* using the loopback address for a jail as well, but I can't think of any of them. > And of course you should use appropriate packetfilter rules to enforce > what kind of access between the jails is allowed. Only allow what you > need. I agree again. If you're using the jail for security, lock it down, only allow traffic that should be going to (and from!) the jail, and disallow everything else. Servers tend to accept connections, and not initiate them. If this is the case for your server processes, use stateful firewall rules to enforce the direction of connections - for instance, you might want to allow connections to port 80 on your jail, but you probably wouldn't want people launching attacks *from* port 80 on your jail once they compromise your webserver. Assume that your jail will get hacked, and do all you can to prevent that jail from being a useful staging point for your attackers next wave of attacks. /-------------------------------------------------------------------------/ That's where the money was. -- Willie Sutton, on being asked why he robbed a bank finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub news://news.ephemeron.org/alt.lemurs /-------------------------------------------------------------------------/