From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 09:17:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF97137B401 for ; Tue, 15 Jul 2003 09:17:45 -0700 (PDT) Received: from carbon.berkeley.netdot.net (carbon.berkeley.netdot.net [216.27.190.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1597643F3F for ; Tue, 15 Jul 2003 09:17:43 -0700 (PDT) (envelope-from nick@netdot.net) Received: by carbon.berkeley.netdot.net (Postfix, from userid 101) id 4839917114; Tue, 15 Jul 2003 09:19:09 -0700 (PDT) Date: Tue, 15 Jul 2003 09:19:09 -0700 From: Nicholas Esborn To: Uwe Doering Message-ID: <20030715161909.GA6394@carbon.berkeley.netdot.net> References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> <20030714211518.GD4973@garage.freebsd.pl> <3F13A975.7020508@geminix.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F13A975.7020508@geminix.org> User-Agent: Mutt/1.5.4i cc: "V. Jones" cc: freebsd-security@freebsd.org Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 16:17:46 -0000 On Tue, Jul 15, 2003 at 09:12:53AM +0200, Uwe Doering wrote: > Pawel Jakub Dawidek wrote: > >No, because an attacker is able to spoof your daemons from main host or > >other jails. Even if you're binded to a valid IP (not INADDR_ANY) there > >could be always a chance to DoS existing daemon and reuse its port. > > > >My advice is simple: every jail and main host should have its own IP > >address. > > This is certainly the best solution, if you have multiple IP addresses > at your disposal. What I was trying to point out is that there is no > _technical_ reason for separate IP addresses with regard to FreeBSD's > jail implementation. In cases where you cannot easily get additional IP > addresses, on a rented server in a data center, for instance, running > multiple jails on the same IP address (with the necessary safety > precautions like binding daemons to IP addresses explicitly) is still > far better than no jails at all. The difference is that it takes at > least some skill and insight into FreeBSD internals to compromise the > system as a whole in the former case, while in the latter each and every > script kiddy can take over your entire server in no time. Would it be useful to create multiple IP aliases on lo0, i.e. 127.0.0.2, 127.0.0.3, bind the jails to those, then use ipfw, ipf/ipnat, or a TCP proxy to connect ports on the server's real IP to services bound to the lo0 aliases? I can imagine that this technique might not work for services which identify the IP address to which they bind, but surely it could work in some cases? -nick