Jails routing and localhost
Ole
ole at free.de
Fri Jan 19 12:31:11 UTC 2018
Hi Dewayne,
Fri, 19 Jan 2018 10:36:43 +1100 - Dewayne Geraghty
<dewayne.geraghty at heuristicsystems.com.au>:
> If you're paranoid, I also add a firewall rule to restrict traffic
> from/to specific ports and IP's over lo0. If you have anything
> sensitive you might also consider this restriction. Though I would
> recommend using "tcpdump -ni $INTERFACE" to learn how jails and
> routing works in your environment. I was surprised to observe: when
> two jails are assigned IP's on their external interface the traffic
> between, expecting to use their external interfaces, traverses lo0.
Until now I thought that Jails with two different /32 loopback
addresses can not communicate over loopback. Because it is /32. But you
are right. I need a firewall rule to block traffic between the jails.
> PS Sadly there are many examples of ports using 127.0.0.1 instead of
> localhost, there are 104 different files in the Samba 4.7 suite that
> use 127.0.0.1 :/
Yes. I think there are two standards. On is like Isaac told RFC 3330.
And the other one was "vote with the feet" and is localhost = 127.0.0.1
There is too many software with this address hardcoded. So it is a
security feature that software will not bind to public IP by accident.
I wonder why it is such a difference if the IP address of the host
is /32 or not. And I cant' just change it to /24, because than I
couldn't reach the other Server in this /24 Network. And some of them
are also mine :-(
Ole
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale Signatur von OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20180119/e0d46777/attachment.sig>
More information about the freebsd-jail
mailing list