Date: Sat, 17 Jan 2004 19:52:18 +0300 (MSK) From: Andrew Kolchoogin <andrew@rinet.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/61483: Jail security is not honored using IP Filter Message-ID: <20040117165218.4D2C9459@mowgli.rinet.ru> Resent-Message-ID: <200401171700.i0HH0TMV096548@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 61483
>Category: kern
>Synopsis: Jail security is not honored using IP Filter
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jan 17 09:00:29 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Andrew Kolchoogin
>Release: FreeBSD 4.9-RELEASE-p1 i386
>Organization:
Cronyx Plus LLC
>Environment:
System: FreeBSD mowgli.rinet.ru 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #3: Fri Dec 19 19:18:12 MSK 2003 andrew@mowgli.rinet.ru:/usr/src/sys/compile/UNIX i386
>Description:
Although there is no ability to see IP firewall rules set up using
FreeBSD 'standard' ipfw package, alternate firewall toolkit -- ipf -- doesn't
honor jail security: ipfstat -io/ipnat -l works fine even inside jail.
>How-To-Repeat:
1) Set up any jail:
mkdir /usr/jail
cd /usr/src
make buildworld
make DESTDIR=/usr/jail installworld
cd etc
make DESTDIR=/usr/jail distribution
2) Run shell inside jail:
jail /usr/jail localhost 127.0.0.1 /bin/tcsh
3) Start 'ipfstat' command:
ipfstat -io
And you will see all of your IP filter rules set up outside jail.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040117165218.4D2C9459>