Re: Re: jails, ipfilter & stunnel
From: V. Jones (vjones62_at_earthlink.net)
Date: 07/14/03
- Previous message: Pawel Jakub Dawidek: "Re: jails, ipfilter & stunnel"
- Maybe in reply to: Pawel Jakub Dawidek: "Re: jails, ipfilter & stunnel"
- Next in thread: Pawel Jakub Dawidek: "Re: Re: jails, ipfilter & stunnel"
- Maybe reply: V. Jones: "Re: Re: Re: jails, ipfilter & stunnel"
- Maybe reply: V. Jones: "Re: Re: Re: jails, ipfilter & stunnel"
- Reply: Pawel Jakub Dawidek: "Re: Re: jails, ipfilter & stunnel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 14 Jul 2003 12:39:50 -0400 (EDT) To: freebsd-security@freebsd.org
>No, no, no!
>You first need to realize how kernel will choose listen socket.
>If you bind to port 22 on main host with INADDR_ANY, you get this
>INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY
>it will be translated to jail's ip. Now if there is open port outside
>jail and inside some jail it is opened as well, guess which socket will
>be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel
>translate them to jail's ip). So from security point of view if someone
>will break into your jail, he is able to spoof your sshd (let's forget
>for a moment about server keys), your mail server or anything >and get your password for example.
>You can check my patch for multiple ips in jails which also fix
>sockets ordering behaviour.
> For FreeBSD 4.x:
> http://garage.freebsd.pl/mijail.tbz
> http://garage.freebsd.pl/mijail.README
> For FreeBSD 5.1-CURRENT:
> http://garage.freebsd.pl/mijail5.tbz
> http://garage.freebsd.pl/mijail5.README
> http://garage.freebsd.pl/patches/mijail5.patch
I have a feeling you're trying to tell me something important
but I'm not understanding. Is this a problem only with ssh or
with any server listening on a port? Does this problem occur
when you share an ip address between two jailed servers or does
it happen any time you use a jail? Would having ssh on a
different port on each jail avoid the problem?
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Pawel Jakub Dawidek: "Re: jails, ipfilter & stunnel"
- Maybe in reply to: Pawel Jakub Dawidek: "Re: jails, ipfilter & stunnel"
- Next in thread: Pawel Jakub Dawidek: "Re: Re: jails, ipfilter & stunnel"
- Maybe reply: V. Jones: "Re: Re: Re: jails, ipfilter & stunnel"
- Maybe reply: V. Jones: "Re: Re: Re: jails, ipfilter & stunnel"
- Reply: Pawel Jakub Dawidek: "Re: Re: jails, ipfilter & stunnel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
