Re: Closing information leaks in jails?

From: Pawel Malachowski (pawmal-posting_at_freebsd.lublin.pl)
Date: 08/19/05

  • Next message: Jeremie Le Hen: "Re: Closing information leaks in jails?" 
    Date: Fri, 19 Aug 2005 10:46:47 +0200
To: freebsd-security@freebsd.org

    On Thu, Aug 18, 2005 at 10:44:42PM +0000, Nate Nielsen wrote:

    > netstat works, but it limits itself to the jail pretty well. In
    > particular 'netstat -r' and friends don't work. The normal 'netstat -a'
    > only shows connections to the current jail. It does show the output from
    > 'netstat -m' and those sort of things, but those say nothing over the
    > network load of the current machine.

    One can use bmon application in jail to graph network activity in real time,
    for example:

    % sysctl -a | grep jail
    security.jail.set_hostname_allowed: 0
    security.jail.socket_unixiproute_only: 1
    security.jail.sysvipc_allowed: 0
    security.jail.getfsstatroot_only: 1
    security.jail.allow_raw_sockets: 0
    security.jail.chflags_allowed: 0
    security.jail.jailed: 1
    % id
    uid=11226(pawmal) gid=10999(pawmal) groups=10999(pawmal)
    % bmon
      # Interface RX Rate RX # TX Rate TX #
    ....................................................................................
    xxx (source: local)
      0 fxp0 1.29KiB 23 32.51KiB 34
      1 lo0 442.00B 2 442.00B 2
      2 vlan3 660.00B 11 32.40KiB 27
      3 vlan4 419.00B 5 0.00B 0
      4 vlan6 0.00B 0 0.00B 0
      5 vlan9 0.00B 0 0.00B 0 

    -- 
Paweł Małachowski
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Jeremie Le Hen: "Re: Closing information leaks in jails?"

    Relevant Pages

    • Re: Uplading file via Lighttpd - system hangs
      ... The problem seems to be that lighttpd stops ... serving the pages, however I haven't had time to dig into this any more ... May be it does not close the connections ... The only common thing here is that that this jail is serving a page where a ...
      (freebsd-questions)
    • How to terminate TCP connection?
      ... Somtimes i need to restart all jails. ... FreebBSD does not delete jail until all connections to it are gone. ... So, the question, Is there a way to kill off stuck tcp connection (or actually ANY connection ...
      (freebsd-questions)
    • Jails and IP Aliasing
      ... gotcha with jails. ... If I telnet from the jailhost to mail.example.org 25, for example, both ... lookup on the jailhost, ... both incoming and outgoing connections occur on the jail's IP address. ...
      (freebsd-questions)
    • Re: Conversation with the US Attorney--District of Connecticut
      ... > "I must add that if all the Steere camp scientists were Islamics without ... > connections to the DoD, they'd all be in jail, or dissappeared, as ...
      (sci.med.diseases.lyme)
    • Re: Conversation with the US Attorney--District of Connecticut
      ... connections to the DoD, they'd all be in jail, or dissappeared, as ... threats to national security. ...
      (sci.med.diseases.lyme)