From owner-freebsd-hackers@FreeBSD.ORG Mon Aug 28 13:38:54 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9BD916A4DD for ; Mon, 28 Aug 2006 13:38:54 +0000 (UTC) (envelope-from mwm-keyword-freebsdhackers2.e313df@mired.org) Received: from mired.org (vpn.mired.org [66.92.153.74]) by mx1.FreeBSD.org (Postfix) with SMTP id 4FA7443D46 for ; Mon, 28 Aug 2006 13:38:53 +0000 (GMT) (envelope-from mwm-keyword-freebsdhackers2.e313df@mired.org) Received: (qmail 56735 invoked by uid 1001); 28 Aug 2006 13:38:44 -0000 Received: by bhuda.mired.org (tmda-sendmail, from uid 1001); Mon, 28 Aug 2006 09:38:44 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17650.61924.263953.172573@bhuda.mired.org> Date: Mon, 28 Aug 2006 09:38:44 -0400 To: Fabian Keil In-Reply-To: <20060828150039.21e8bd4a@localhost> References: <44F0E38F.5030809@erdgeist.org> <17648.59470.572563.377998@bhuda.mired.org> <20060827052733.F16322@erdgeist.org> <17649.9146.307818.780974@bhuda.mired.org> <44F1B7B7.9090701@erdgeist.org> <17649.54252.987757.501860@bhuda.mired.org> <20060828150039.21e8bd4a@localhost> X-Mailer: VM 7.17 under 21.4 (patch 19) "Constant Variable" XEmacs Lucid X-Primary-Address: mwm@mired.org X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`; h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) From: Mike Meyer Cc: Dirk Engling , hackers@freebsd.org Subject: Re: jails, cron and sendmail X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Aug 2006 13:38:54 -0000 In <20060828150039.21e8bd4a@localhost>, Fabian Keil typed: > Mike Meyer wrote: > > > In <44F1B7B7.9090701@erdgeist.org>, Dirk Engling typed: > > > > > The default configuration doesn't expose sendmail to the publicly > > > > visible IP addres. The daemon it runs only listens for connections to > > > > the localhost address. > > > Which is rewritten to the jails (externally visible) address on a connect() > > Yup. I wasn't aware of that strange behavior of jails. That should be > > fixed. > Fixed how? Disallow jailed applications to connect to 127.0.0.1, > and thus break most of them, or have them reach 127.0.0.1 on the > host system and weaken the security? > > > I think the better fix would be to make jails not expose their > > localhost IP address to the outside world. > Exactly. Ok, I'm confused. Exactly how is fixing jails to not expose their localhost IP address to the outside world not fixing this strange behavior of jails? http://www.mired.org/consulting.html Independent Network/Unix/Perforce consultant, email for more information.