From owner-freebsd-jail@freebsd.org Thu Jun 2 17:46:14 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 59E48B65219 for ; Thu, 2 Jun 2016 17:46:14 +0000 (UTC) (envelope-from markham@ssimicro.com) Received: from mail.ssimicro.com (mail.ssimicro.com [64.247.129.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.ssimicro.com", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0F5531A78 for ; Thu, 2 Jun 2016 17:46:13 +0000 (UTC) (envelope-from markham@ssimicro.com) Received: from markham.ssimicro.com (markham.ssimicro.com [64.247.130.99]) (authenticated bits=0) by mail.ssimicro.com (8.14.7/8.14.7) with ESMTP id u52HjWTZ087979 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Thu, 2 Jun 2016 11:45:32 -0600 (MDT) Subject: Re: deploy multiple vnets with VIMAGE/VNET + Production Ready? To: freebsd-jail@freebsd.org References: <574f0851.ca0b620a.c7073.5becSMTPIN_ADDED_MISSING@mx.google.com> <574F54FC.3040203@gmail.com> <20160602162137.7A719E8E382@barracuda.ssimicro.com> From: markham breitbach Message-ID: <3392c787-6df5-5238-7de6-ad07d70442ae@ssimicro.com> Date: Thu, 2 Jun 2016 11:45:57 -0600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <20160602162137.7A719E8E382@barracuda.ssimicro.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jun 2016 17:46:14 -0000 >> I disagree with you about the security issue of using localhost. Runni= ng >> sendmail in a non-vimage jail using its default config listening on >> localhost is still contained in the jail. Localhost is internally >> converted to the jails assigned ip address by jail(8). > How is anything listening on localhost internally converted yet still > contained in the jail? I mean what is the mechanism and why sendmail b= ut not > other daemons? > >> Why do you think this is a non-trivial security issue? > telnet $jail 25 > ehlo ... > mail from: <...> > rcpt to: <...> > data > > Sendmail has never been a relatively secure app and DOS/DDOS and spam a= re > vulnerabilities but point taken. > > Problem is the localhost to external mapping impacts not just sendmail = but > named, postfix and anything else listing on 127.0.0.1. > > I think, perhaps, you misunderstand this issue. Inside a jail, lo0[127.0.0.1] is mapped directly to the primary IP address of a jail. For example, if you are building a typical public-facing web-hosting stack and you bind mysql to 127.0.0.1 expecting it to be only accessible to the localhost, you will be horribly surprised when you find you have just exposed your mysql server to the whole world. That is a terrible security issue because someone working as the system administrator for that web-host, should not need to be aware that 127.0.0.1 isn't really localhost for this particular host. localhost should behave according to spec, and should not just magically map loopback packets onto the public network. FTFRFC: 127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]. -M