source addresses for IP traffic between jails

From: Andrew McNaughton (andrew_at_scoop.co.nz)
Date: 08/27/03

  • Next message: jahmon: "compromised server" 
    Date: Wed, 27 Aug 2003 20:56:15 +1200 (NZST)
To: freebsd-security@freebsd.org

    I'm setting up a server environment where I've got a bunch of jails
    running using aliased IPs on the same interface. I'd like to be able to
    use ipfw to place limits on the traffic between jails, but I'm running
    into problems.

    When I use tcpdump to look at TCP traffic from one jail to another, it
    shows both the source and destination IP for the packets as being the IP
    assigned to the jail which the connection is made to.

    When I look at UDP traffic (again using tcpdump) I see both the source
    and detination IP being that of the jail IP the particular packet is
    destined for.

    Given the situation above, is it possible for ipfw to distinguish
    which jails are involved in a packet exchange?

    I've wondered about giving each jail its own pseudo-interface. Are there
    any problems with creating many pseudo-interfaces like this? What sort of
    interface should I use?

    You apparently can't create multiple loopback interfaces which would be
    the obvious choice (ie `ifconfig lo1 create` does not work). The
    interface types I know about that allow creation of pseudo-interfaces are
    tunnel type interfaces which don't really suit this purpose. Is there
    something suitable?

    Given that packets are coming from a jail, is the packet construction I'm
    seeing correct, or should this be considered a bug?

    Andrew McNaughton 

    --
No added Sugar.  Not tested on animals.  May contain traces of Nuts.  If
irritation occurs, discontinue use.
-------------------------------------------------------------------
Andrew McNaughton           In Sydney
                            Working on a Product Recommender System
andrew@scoop.co.nz
Mobile: +61 422 753 792     http://staff.scoop.co.nz/andrew/cv.doc
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: jahmon: "compromised server"

    Relevant Pages

    • Re: Multi-homing, jails, and source address selection
      ... I thought I remembered that on unbound sockets the destination route would be used to pick the first address of the outgoing interface as the source address; the same address would be picked on connecting a socket. ... check if the interface address belongs to the jail. ... This would also allow the standard rc.d/jail script to do it's magic, if the necessary tun seetings could be applied through ifconfig. ...
      (freebsd-net)
    • Re: IP alias/routing question
      ... is the address for incoming DNS queries. ... address or more specifically, the packet count is ... attached to the interface via ifconfig. ... jail host sends traffic to a jail, the traffic will transit the lo0 ...
      (freebsd-questions)
    • Re: Multi-homing, jails, and source address selection
      ... I thought I remembered that on unbound sockets the destination route would be used to pick the first address of the outgoing interface as the source address; the same address would be picked on connecting a socket. ... check if the interface address belongs to the jail. ... This would also allow the standard rc.d/jail script to do it's magic, if the necessary tun seetings could be applied through ifconfig. ...
      (freebsd-net)
    • Re: jails and multple interfaces
      ... The server has two network interfaces, I am configuring one for host ... the jail servers. ... IP on the first interface. ... I want to segregate the jail and jail host traffic on separate interfaces. ...
      (freebsd-stable)
    • [Full-disclosure] Possible security issue with FreeBSD 5.4 jailing and BPF
      ... While playing around with FreeBSD 5.4 and jailing I discovered that it was ... and a BPF device is available in the jail ... "The Berkeley Packet Filter provides a raw interface to data link layers ... The ethernet interface of the host is not in promiscious mode. ...
      (Full-Disclosure)