bind() on 127.0.0.1 in jail: bound to the outside address?
Xin LI
delphij at frontfree.net
Mon Feb 28 16:26:29 GMT 2005
Dear folks,
It seems that doing bind() inside a jail (whose IP address is an outside
address), will result in some wierd behavior, that the actual bind is
done on the outside address.
For example, binding to 127.0.0.1:6666 inside a jail addressed 192.168.1.1,
will finally result in a bind to 192.168.1.1:6666. With this in mind,
it is possible that some formerly secure configuration fail in jail
environment.
It seems that our implementation will forward every loopback connection
to the outside address. A simple hack to work around this issue might
be to modify the individual bind procedures to treat prison case with
loopback address, but I'm not sure if a true solution can solve the
issue with minimum code change and code complexity.
Your ideas are highly appreciated!
Cheers,
--
Xin LI <delphij frontfree net> http://www.delphij.net/
See complete headers for GPG key and other information.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050301/6be1aee4/attachment.bin
More information about the freebsd-security
mailing list