jails, ipfilter & stunnel
Nicholas Esborn
nick at netdot.net
Tue Jul 15 09:17:46 PDT 2003
On Tue, Jul 15, 2003 at 09:12:53AM +0200, Uwe Doering wrote:
> Pawel Jakub Dawidek wrote:
> >No, because an attacker is able to spoof your daemons from main host or
> >other jails. Even if you're binded to a valid IP (not INADDR_ANY) there
> >could be always a chance to DoS existing daemon and reuse its port.
> >
> >My advice is simple: every jail and main host should have its own IP
> >address.
>
> This is certainly the best solution, if you have multiple IP addresses
> at your disposal. What I was trying to point out is that there is no
> _technical_ reason for separate IP addresses with regard to FreeBSD's
> jail implementation. In cases where you cannot easily get additional IP
> addresses, on a rented server in a data center, for instance, running
> multiple jails on the same IP address (with the necessary safety
> precautions like binding daemons to IP addresses explicitly) is still
> far better than no jails at all. The difference is that it takes at
> least some skill and insight into FreeBSD internals to compromise the
> system as a whole in the former case, while in the latter each and every
> script kiddy can take over your entire server in no time.
Would it be useful to create multiple IP aliases on lo0, i.e. 127.0.0.2,
127.0.0.3, bind the jails to those, then use ipfw, ipf/ipnat, or a TCP
proxy to connect ports on the server's real IP to services bound to the
lo0 aliases?
I can imagine that this technique might not work for services which
identify the IP address to which they bind, but surely it could work
in some cases?
-nick
More information about the freebsd-security
mailing list