From owner-freebsd-questions@FreeBSD.ORG  Tue Oct 14 22:07:39 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 491F8106569A
	for <freebsd-questions@freebsd.org>;
	Tue, 14 Oct 2008 22:07:39 +0000 (UTC)
	(envelope-from erik@cepheid.org)
Received: from mail.cepheid.org (aleph.cepheid.org [72.232.60.94])
	by mx1.freebsd.org (Postfix) with ESMTP id 30C6C8FC08
	for <freebsd-questions@freebsd.org>;
	Tue, 14 Oct 2008 22:07:39 +0000 (UTC)
	(envelope-from erik@cepheid.org)
Received: by mail.cepheid.org (Postfix, from userid 1006)
	id 9E6739B4025; Tue, 14 Oct 2008 17:07:38 -0500 (CDT)
Date: Tue, 14 Oct 2008 17:07:38 -0500
From: Erik Osterholm <freebsd-lists-erik@erikosterholm.org>
To: freebsd-questions@freebsd.org
Message-ID: <20081014220738.GA76816@aleph.cepheid.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
Subject: nmap and Nessus in a jail -- scans fail
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2008 22:07:39 -0000

Hi all,

Running 7.0-RELEASE-p2, I set up a jail from which to perform NMAP and
Nessus scans.  I set the sysctl security.jail.allow_raw_sockets=1,
which I expected to prevent any problems.  Unfortunately, I'm getting
this whenever I try to NMAP:

$ sudo nmap -P0 localhost
Starting Nmap 4.76 ( http://nmap.org ) at 2008-10-14 16:56 CDT
WARNING: Unable to find appropriate interface for system route to
xxx.xx.xx.xx
WARNING: Unable to find appropriate interface for system route to
127.0.0.1
nexthost: failed to determine route to 127.0.0.1
QUITTING!

Nessus scans fail shortly after being started if port scanning is
enabled.  If port scanning is disabled, the vulnerability scan
succeeds.  Identical configurations outside of a jail work just fine,
which lead me to believe that the Nessus and NMAP issues are related
to the processes being jailed.

$ sysctl -a | grep jail
security.jail.jailed: 1
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 1
security.jail.allow_raw_sockets: 1
security.jail.enforce_statfs: 2
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1

Anyone have any hope for me?

Erik