From owner-freebsd-questions Tue Dec 3 2:41:15 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC20537B404 for ; Tue, 3 Dec 2002 02:41:13 -0800 (PST) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81E7443E9C for ; Tue, 3 Dec 2002 02:41:12 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id gB3Af6OR072356 for ; Tue, 3 Dec 2002 10:41:06 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id gB3Af1rL072355 for FreeBSD-questions@FreeBSD.ORG; Tue, 3 Dec 2002 10:41:01 GMT Date: Tue, 3 Dec 2002 10:41:01 +0000 From: Matthew Seaman To: FreeBSD Questions Subject: Re: dhclient & dhcpd bind to address Message-ID: <20021203104101.GB71336@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , FreeBSD Questions References: <20021203100543.GA21943@rock.stable.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021203100543.GA21943@rock.stable.ch> User-Agent: Mutt/1.5.1i X-Spam-Status: No, hits=-2.7 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_03_05, USER_AGENT,USER_AGENT_MUTT version=2.43 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Dec 03, 2002 at 11:05:43AM +0100, Thomas Spreng wrote: > i'm just trying to set up some jails on my master machine. According > to the man page, you have to change daemons from listening to all > local addresses. I have done this for every tcp port that is listed > within the netstat command. But i'm having problems with some daemons > that are listening for udp packets on all interfaces. > netstat -na: > > udp4 0 0 *.68 *.* > udp4 0 0 *.67 *.* > > these ports are used by dhcpd (isc-dhcpd) and dhclient. Has anyone ever > managed to make those two programs only listen on a specific interface? > > PS: both daemons are run with an interface name as a command line argument > that should make them only listen on that one: > /usr/local/sbin/dhcpd fxp0 > /sbin/dhclient fxp1 Yes. Your jail should still work, except that you won't be able to run any processes within it that bind to UDP ports 67 or 68. As you can't run dhclient from within a jail and I don't think that running dhcpd within a jail would be a particularly good idea either, that shouldn't cause you any noticable grief. dhcpd is not the only culprit. I never could get named(8) to stop binding to UDP port 1024, even though I've managed to restrict all it's TCP traffic to specific interfaces. Neither can I make ntpd(8) listen on a specific interface. However, this has not deleteriously affected the jail(8) I'm running. I could in theory use 'ntpq' or 'ntpdc' from within the jail to sabotage the ntpd setup on the local machine, except that the jail doesn't have the right ntp.keys file for that sort of access. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message