jails, ipfilter & stunnel

Mon Jul 14 11:24:04 PDT 2003

On Sun, Jul 13, 2003 at 08:56:16AM +0200, Uwe Doering wrote:
+> >I'm setting up a server where I plan to use Jails to improve security
+> >I also have installed and am configuring ipfilter.  Here are my 
+> >questions:
+> >
+> >Because I'm using Jails, I will have to have multiple ip aliases on the
+> >network interface.  I will use ipfilter to specify what can go to each 
+> >of the addresses.  (e.g., allow only incoming to port 80 on the jail 
+> >running apache).  
+> 
+> You don't have to have multiple IP aliases for multiple jails.  Or at 
+> least there is no technical necessity for this (in FreeBSD 4.x, that is, 
+> don't kown about 5.x).  If it's just about running server processes in 
+> their own jail (no port number conflicts) you can have all jails on the 
+> same IP address and do the IP filtering (if necessary at all in this 
+> scenario) based on port numbers.

No, no, no!

You first need to realize how kernel will choose listen socket.
If you bind to port 22 on main host with INADDR_ANY, you get this
INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY
it will be translated to jail's ip. Now if there is open port outside
jail and inside some jail it is opened as well, guess which socket will
be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel
translate them to jail's ip). So from security point of view if someone
will break into your jail, he is able to spoof your sshd (let's forget
for a moment about server keys), your mail server or anything else
and get your password for example.

You can check my patch for multiple ips in jails which also fix
sockets ordering behaviour.

	For FreeBSD 4.x:
	http://garage.freebsd.pl/mijail.tbz
	http://garage.freebsd.pl/mijail.README
	For FreeBSD 5.1-CURRENT:
	http://garage.freebsd.pl/mijail5.tbz
	http://garage.freebsd.pl/mijail5.README
	http://garage.freebsd.pl/patches/mijail5.patch

+> >Another jailed server will run mail services (pop, smtp, imap).  If 
+> >I want to allow users to use web based email(over ssl of course), the 
+> >web server  will have to communicate with the mail server.    Is there 
+> >a chance of "information leakage" in this type of setup?
+> 
+> Only the information you transmit will leak.  That is, you define the 
+> information interchange between the jails, so pondering over the 
+> consequences is on your plate, too.  Just assume that each jail has been 
+> broken into by an intruder with evil intentions and ask yourself what 
+> damage he can do with the data he can gather from the other jails. 
+> Paranoia in action, as it were. ;-)

If www pages don't have dynamic elements you can mount them as read-only
with mount_null(8) for example. Only logs should be writable, but you
need only one directory with 'schg' flag and touch(1)'ed log files
inside with 'sappnd' flag. Note, that 'schg' and 'sappnd' can't be removed
in jail even if securelevel is <= 0.

-- 
Pawel Jakub Dawidek                       pawel at dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030714/8bb7e3f6/attachment.bin