Date: Mon, 28 Aug 2006 15:00:39 +0200 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: Mike Meyer <mwm-keyword-freebsdhackers2.e313df@mired.org> Cc: hackers@freebsd.org, Dirk Engling <erdgeist@erdgeist.org> Subject: Re: jails, cron and sendmail Message-ID: <20060828150039.21e8bd4a@localhost> In-Reply-To: <17649.54252.987757.501860@bhuda.mired.org> References: <44F0E38F.5030809@erdgeist.org> <17648.59470.572563.377998@bhuda.mired.org> <20060827052733.F16322@erdgeist.org> <17649.9146.307818.780974@bhuda.mired.org> <44F1B7B7.9090701@erdgeist.org> <17649.54252.987757.501860@bhuda.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_RMpzPGi5+9/l2Bb4gAbZfll Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Mike Meyer <mwm-keyword-freebsdhackers2.e313df@mired.org> wrote: > In <44F1B7B7.9090701@erdgeist.org>, Dirk Engling <erdgeist@erdgeist.org> = typed: > > > The default configuration doesn't expose sendmail to the publicly > > > visible IP addres. The daemon it runs only listens for connections to > > > the localhost address. > > Which is rewritten to the jails (externally visible) address on a conne= ct() >=20 > Yup. I wasn't aware of that strange behavior of jails. That should be > fixed. Fixed how? Disallow jailed applications to connect to 127.0.0.1, and thus break most of them, or have them reach 127.0.0.1 on the host system and weaken the security?=20 I think the "strange behaviour" makes sense and it certainly makes jailing servers easier. Because of the security aspect it's a good idea to have the jail run on a private IP address that's only reachable through packet filter and port forwarding anyway. Don't forward the ports you don't need and the "problem" is solved. =20 > I think the better fix would be to make jails not expose their > localhost IP address to the outside world. Exactly. Fabian --=20 http://www.fabiankeil.de/ --Sig_RMpzPGi5+9/l2Bb4gAbZfll Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE8uj7BYqIVf93VJ0RAjQKAJ96zA8j3IGgbg2x0NoHVR6n4dihPgCfcRQt zY3/PvdLUFCS7nYHaNOiyZk= =cUEe -----END PGP SIGNATURE----- --Sig_RMpzPGi5+9/l2Bb4gAbZfll--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060828150039.21e8bd4a>