Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 14 Jul 2003 23:15:18 +0200
From:      Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To:        "V. Jones" <vjones62@earthlink.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Re: jails, ipfilter & stunnel
Message-ID:  <20030714211518.GD4973@garage.freebsd.pl>
In-Reply-To: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net>
References:  <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

--qGW1X6pRZ+lkBpGQ
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jul 14, 2003 at 12:39:50PM -0400, V. Jones wrote:
+> >You can check my patch for multiple ips in jails which also fix
+> >sockets ordering behaviour.
+>=20
+> >   	For FreeBSD 4.x:
+> >   	http://garage.freebsd.pl/mijail.tbz
+> >   	http://garage.freebsd.pl/mijail.README
+> >   	For FreeBSD 5.1-CURRENT:
+> >   	http://garage.freebsd.pl/mijail5.tbz
+> >   	http://garage.freebsd.pl/mijail5.README
+> >   	http://garage.freebsd.pl/patches/mijail5.patch
+>=20
+> I have a feeling you're trying to tell me something important
+> but I'm not understanding.  Is this a problem only with ssh or=20
+> with any server listening on a port?  Does this problem occur=20
+> when you share an ip address between two jailed servers or does=20
+> it happen any time you use a jail?  Would having ssh on a=20
+> different port on each jail avoid the problem?

No, because an attacker is able to spoof your daemons from main host or
other jails. Even if you're binded to a valid IP (not INADDR_ANY) there
could be always a chance to DoS existing daemon and reuse its port.

My advice is simple: every jail and main host should have its own IP addres=
s.

--=20
Pawel Jakub Dawidek                       pawel@dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

--qGW1X6pRZ+lkBpGQ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPxMdZj/PhmMH/Mf1AQE4EQP9H1Q1ylhKJ+lPi8S7kZcI9jE1jK8Hneb0
4+MsrM/QEV0oKTnITtSqPwTGAJZsZrqDyWyeUAiErUeVJ8/m+KmfmCKvPq0c/B+T
w/aEs2lLIA/jfZJfHbLr5vbD5RDTMV5jpkDdq4TDCJLYAlOs21OgEmpuyKocihtE
WvAunBmJ3pY=
=V02Q
-----END PGP SIGNATURE-----

--qGW1X6pRZ+lkBpGQ--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030714211518.GD4973>