jails, ipfilter & stunnel

[V. Jones]

> > > No, no, no!
> >
> > You first need to realize how kernel will choose listen socket.
> > If you bind to port 22 on main host with INADDR_ANY, you get this
> > INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY
> > it will be translated to jail's ip. Now if there is open port outside
> > jail and inside some jail it is opened as well, guess which socket
will
> > be chosen. Socket in jail, because it isn't INADDR_ANY (as I said
kernel
> > translate them to jail's ip). So from security point of view if
someone
> > will break into your jail, he is able to spoof your sshd (let's forget
> > for a moment about server keys), your mail server or anything else
> > and get your password for example.
>
> Good point.  I forgot to mention that you should bind daemons running
> outside the jails explicitly to the server's IP address.  This
> circumvents the problem you've pointed out.  But I agree with you that
> people would be less likely to shoot themselves in the foot if the
> kernel took care of things in this situation.
>
Oh - okay.  The directions I followed in "Absolute BSD" had me configure
all Daemons so that they only listened on the main ip address.  Is this
what you guys are talking about it?  Actually, the book said the jailed
server wouldn't even start if this wasn't done.

For example, in my /etc/ssh/sshd_config:

ListenAddress x.x.x.8
>