bind() on 127.0.0.1 in jail: bound to the outside address?
Bryan Fullerton
fehwalker at gmail.com
Mon Feb 28 21:12:29 GMT 2005
I'd noticed this as well, but assumed it was a feature. Given that
there's only one IP inside the jail, how do you bind to a loopback IP
that doesn't exist?
I suspect the behavior you're seeing is another 'simple hack' to allow
binding to the loopback IP to not just immediately fail with "unable
to bind".
If this isn't documented somewhere (I didn't bother to check, it made
sense to me once I figured out what it was doing) it should be. I have
noticed that documentation of jail in the handbook in general is a bit
lacking, maybe I'll see if I can find time to look at that (heh).
Bryan
On Tue, 1 Mar 2005 00:25:48 +0800, Xin LI <delphij at frontfree.net> wrote:
> Dear folks,
>
> It seems that doing bind() inside a jail (whose IP address is an outside
> address), will result in some wierd behavior, that the actual bind is
> done on the outside address.
>
> For example, binding to 127.0.0.1:6666 inside a jail addressed 192.168.1.1,
> will finally result in a bind to 192.168.1.1:6666. With this in mind,
> it is possible that some formerly secure configuration fail in jail
> environment.
>
> It seems that our implementation will forward every loopback connection
> to the outside address. A simple hack to work around this issue might
> be to modify the individual bind procedures to treat prison case with
> loopback address, but I'm not sure if a true solution can solve the
> issue with minimum code change and code complexity.
>
> Your ideas are highly appreciated!
>
> Cheers,
> --
> Xin LI <delphij frontfree net> http://www.delphij.net/
> See complete headers for GPG key and other information.
>
>
>
More information about the freebsd-security
mailing list