From owner-freebsd-bugs@FreeBSD.ORG Sat Jan 17 09:00:34 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D049D16A4CE for ; Sat, 17 Jan 2004 09:00:34 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11AB443D5D for ; Sat, 17 Jan 2004 09:00:30 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i0HH0TFR096549 for ; Sat, 17 Jan 2004 09:00:29 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0HH0TMV096548; Sat, 17 Jan 2004 09:00:29 -0800 (PST) (envelope-from gnats) Resent-Date: Sat, 17 Jan 2004 09:00:29 -0800 (PST) Resent-Message-Id: <200401171700.i0HH0TMV096548@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Andrew Kolchoogin Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3398816A4CE for ; Sat, 17 Jan 2004 08:52:21 -0800 (PST) Received: from mowgli.rinet.ru (mowgli.rinet.ru [195.54.192.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43CE143D49 for ; Sat, 17 Jan 2004 08:52:20 -0800 (PST) (envelope-from andrew@mowgli.rinet.ru) Received: by mowgli.rinet.ru (Mail Transport Agent, from userid 290) id 4D2C9459; Sat, 17 Jan 2004 19:52:18 +0300 (MSK) Message-Id: <20040117165218.4D2C9459@mowgli.rinet.ru> Date: Sat, 17 Jan 2004 19:52:18 +0300 (MSK) From: Andrew Kolchoogin To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/61483: Jail security is not honored using IP Filter X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Andrew Kolchoogin List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jan 2004 17:00:35 -0000 >Number: 61483 >Category: kern >Synopsis: Jail security is not honored using IP Filter >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jan 17 09:00:29 PST 2004 >Closed-Date: >Last-Modified: >Originator: Andrew Kolchoogin >Release: FreeBSD 4.9-RELEASE-p1 i386 >Organization: Cronyx Plus LLC >Environment: System: FreeBSD mowgli.rinet.ru 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #3: Fri Dec 19 19:18:12 MSK 2003 andrew@mowgli.rinet.ru:/usr/src/sys/compile/UNIX i386 >Description: Although there is no ability to see IP firewall rules set up using FreeBSD 'standard' ipfw package, alternate firewall toolkit -- ipf -- doesn't honor jail security: ipfstat -io/ipnat -l works fine even inside jail. >How-To-Repeat: 1) Set up any jail: mkdir /usr/jail cd /usr/src make buildworld make DESTDIR=/usr/jail installworld cd etc make DESTDIR=/usr/jail distribution 2) Run shell inside jail: jail /usr/jail localhost 127.0.0.1 /bin/tcsh 3) Start 'ipfstat' command: ipfstat -io And you will see all of your IP filter rules set up outside jail. >Fix: >Release-Note: >Audit-Trail: >Unformatted: