jails, ipfilter & stunnel

Pawel Jakub Dawidek nick at garage.freebsd.pl
Mon Jul 14 13:47:00 PDT 2003

On Mon, Jul 14, 2003 at 10:17:37PM +0200, Uwe Doering wrote:
+> >You can check my patch for multiple ips in jails which also fix
+> >sockets ordering behaviour.
+> >
+> >	For FreeBSD 4.x:
+> >	http://garage.freebsd.pl/mijail.tbz
+> >	http://garage.freebsd.pl/mijail.README
+> >	For FreeBSD 5.1-CURRENT:
+> >	http://garage.freebsd.pl/mijail5.tbz
+> >	http://garage.freebsd.pl/mijail5.README
+> >	http://garage.freebsd.pl/patches/mijail5.patch
+> Thanks for the patches.  Did you try to contribute them to the FreeBSD 
+> project?  If so, any reaction so far?

Of course I've tried, but as you can see...:)

+> >If www pages don't have dynamic elements you can mount them as read-only
+> >with mount_null(8) for example. Only logs should be writable, but you
+> >need only one directory with 'schg' flag and touch(1)'ed log files
+> >inside with 'sappnd' flag. Note, that 'schg' and 'sappnd' can't be removed
+> >in jail even if securelevel is <= 0.
+> Just be careful with mount_null(8).  You might get away with it 
+> unscathed if you use it read-only, but you shouldn't try anything else 
+> with it.  Last time I checked I managed to panic the kernel with it even 
+> faster than with mount_union(8), which is badly broken as well (look at 
+> the comment at the end of the man pages).  I wouldn't recommend using 
+> either in a production system.

You could always try to use NFS on local machine, but those comments from
the manual page's end should be removed in 5.x (for unionfs as well).
There are developers that work on this - tjr@ on nullfs and das@ on unionfs.

Pawel Jakub Dawidek                       pawel at dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030714/44c7bb6d/attachment.bin

More information about the freebsd-security mailing list