From owner-freebsd-hackers@FreeBSD.ORG Mon Aug 28 13:00:54 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7670B16A4DD for ; Mon, 28 Aug 2006 13:00:54 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.18.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEC7043D6B for ; Mon, 28 Aug 2006 13:00:47 +0000 (GMT) (envelope-from freebsd-listen@fabiankeil.de) Received: (qmail 1281 invoked from network); 28 Aug 2006 13:00:45 -0000 Received: from unknown (HELO localhost) (775067@[217.50.145.224]) (envelope-sender ) by smtprelay01.ispgateway.de (qmail-ldap-1.03) with SMTP for ; 28 Aug 2006 13:00:45 -0000 Date: Mon, 28 Aug 2006 15:00:39 +0200 From: Fabian Keil To: Mike Meyer Message-ID: <20060828150039.21e8bd4a@localhost> In-Reply-To: <17649.54252.987757.501860@bhuda.mired.org> References: <44F0E38F.5030809@erdgeist.org> <17648.59470.572563.377998@bhuda.mired.org> <20060827052733.F16322@erdgeist.org> <17649.9146.307818.780974@bhuda.mired.org> <44F1B7B7.9090701@erdgeist.org> <17649.54252.987757.501860@bhuda.mired.org> X-Mailer: Sylpheed-Claws 2.3.1 (GTK+ 2.8.19; i386-portbld-freebsd6.1) X-PGP-KEY-URL: http://www.fabiankeil.de/gpg-keys/freebsd-listen-2008-08-18.asc Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_RMpzPGi5+9/l2Bb4gAbZfll"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Cc: hackers@freebsd.org, Dirk Engling Subject: Re: jails, cron and sendmail X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2006 13:00:54 -0000 --Sig_RMpzPGi5+9/l2Bb4gAbZfll Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Mike Meyer wrote: > In <44F1B7B7.9090701@erdgeist.org>, Dirk Engling = typed: > > > The default configuration doesn't expose sendmail to the publicly > > > visible IP addres. The daemon it runs only listens for connections to > > > the localhost address. > > Which is rewritten to the jails (externally visible) address on a conne= ct() >=20 > Yup. I wasn't aware of that strange behavior of jails. That should be > fixed. Fixed how? Disallow jailed applications to connect to 127.0.0.1, and thus break most of them, or have them reach 127.0.0.1 on the host system and weaken the security?=20 I think the "strange behaviour" makes sense and it certainly makes jailing servers easier. Because of the security aspect it's a good idea to have the jail run on a private IP address that's only reachable through packet filter and port forwarding anyway. Don't forward the ports you don't need and the "problem" is solved. =20 > I think the better fix would be to make jails not expose their > localhost IP address to the outside world. Exactly. Fabian --=20 http://www.fabiankeil.de/ --Sig_RMpzPGi5+9/l2Bb4gAbZfll Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE8uj7BYqIVf93VJ0RAjQKAJ96zA8j3IGgbg2x0NoHVR6n4dihPgCfcRQt zY3/PvdLUFCS7nYHaNOiyZk= =cUEe -----END PGP SIGNATURE----- --Sig_RMpzPGi5+9/l2Bb4gAbZfll--