jails, cron and sendmail
Fabian Keil
freebsd-listen at fabiankeil.de
Mon Aug 28 13:00:54 UTC 2006
Mike Meyer <mwm-keyword-freebsdhackers2.e313df at mired.org> wrote:
> In <44F1B7B7.9090701 at erdgeist.org>, Dirk Engling <erdgeist at erdgeist.org> typed:
> > > The default configuration doesn't expose sendmail to the publicly
> > > visible IP addres. The daemon it runs only listens for connections to
> > > the localhost address.
> > Which is rewritten to the jails (externally visible) address on a connect()
>
> Yup. I wasn't aware of that strange behavior of jails. That should be
> fixed.
Fixed how? Disallow jailed applications to connect to 127.0.0.1,
and thus break most of them, or have them reach 127.0.0.1 on the
host system and weaken the security?
I think the "strange behaviour" makes sense and it certainly makes
jailing servers easier. Because of the security aspect it's a good
idea to have the jail run on a private IP address that's only reachable
through packet filter and port forwarding anyway. Don't forward the
ports you don't need and the "problem" is solved.
> I think the better fix would be to make jails not expose their
> localhost IP address to the outside world.
Exactly.
Fabian
--
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20060828/293aaf46/signature.pgp
More information about the freebsd-hackers
mailing list