Jail support for mac_portacl(4).
Pawel Jakub Dawidek
pjd at FreeBSD.org
Mon May 23 18:13:25 PDT 2005
Hi.
When we don't have too many IP addresses available and we want to run
for example www server inside a jail, but use the same IP address as
the main system, we need to actually use an internal IP address and
forward http port with firewall from external IP to jail's IP.
In that way we know that if somebody breaks into out jail, he cannot
run sshd server (we have keys, I know) or any other not-http service
inside a jail with out public IP address.
This patch gives another option, so one don't need to use firewall for this
purpose. It adds new idtype - 'jid'. With this patch, one can configure
that jail with the given JID can use only defined ports:
# sysctl security.mac.portacl.rules="jid:1:tcp:80"
Patch is here:
http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch
Any objections?
PS. With the above policy, processes from outside a jail can bind to
port 80. We can change this behaviour to "allow port 80 to be used
only inside a jail 1". This will be a warning for not jailed
processes (don't use this port, because it can be used in a jail
which will overwrite your service).
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050524/b7656958/attachment.bin
More information about the freebsd-security
mailing list