Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 31 May 2005 09:34:32 +0200
From:      Harald Schmalzbauer <harry@schmalzbauer.de>
To:        freebsd-current@freebsd.org
Subject:   unwanted packet forwarding / PR candidate?
Message-ID:  <200505310934.43162@harrymail>
next in thread | raw e-mail | index | archive | help 
--nextPart1266032.q4CeGFgXrV
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hello,

in a previous e-mail I described some problems with multihomed=20
jail-systems. But there is another general problem.

                             INET
     |-----------|            |	        |---------|
     |  Box A    |       |----A---|     |  Box B  |
     |if0     if1|       | Router |     |----v----|
     |-v-------v-|       |-v----v-|          |
       |       |    DMZ    |    |            |
       |       |-----|-----|    |            |
       |                        |            |
       |------------------------|------------|
                    LAN

If you look at the diagram you see Box A with two interfaces, if0
(172.16.0.2) for 172.16/16 at the LAN and let's say 192.168.0.2 on if1 for=
=20
the DMZ (192.168.0/24). The IP(s) of if1 is(are) bound to jail(s)!
Now when I connect from BoxB(172.16.0.3) to a jail running on=20
BoxA(192.168.0.2) the outgoing packets go over the router into the DMZ.=20
But when I add a static route to BoxB which tells 192.168.0/24 172.16.0.2=20
(BoxA if0) I can connect to the jail running on BoxA via the if0=20
interface, even if I haven't enabled forwarding on BoxA.
This is a big security hole IMHO.
Should I file a PR for that?

My particular problem now is that if I connect from BoxB to jail on BoxA=20
the answering-packets won't go over the router but instead sent directly=20
over the if0 back to the LAN. Any suggestions how to solve this? (fwd in=20
IPFW and route-to in PF, but I think this should be handled by the system=20
if jails are used).
Is it possible (by design of jailes) to implement a dedicated interface for=
=20
a jail?

Thanks,

=2DHarry

--nextPart1266032.q4CeGFgXrV
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBCnBOTBylq0S4AzzwRAuwdAJ4iSVmAR8yfhdlm2vcdrvlfvMVb2QCdH9/s
P4tLHXpOlY44hpd88dcK/s4=
=dzyC
-----END PGP SIGNATURE-----

--nextPart1266032.q4CeGFgXrV--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505310934.43162>