jail issue

Jim Prewett download at hpc.unm.edu
Sat Feb 14 13:32:26 PST 2004 

One more thing to add:

This apparently started happening around 12.02.2004 01:38 CET; I must have 
cvsup'd and reinstalled the world not too long before that.

Jim

On Fri, 13 Feb 2004, Jim Prewett wrote:

> 
> Hi Robert,
> 
> I've been using jails (very happily) for quite some time and have *never*
> had a problem like this.  I really don't have a clue what to look for :)  
> 
> I'm getting complaints from fellow keyserver ops as my IP seems to
> sometimes be the jail and sometimes the host, so some of my packets get
> rejected as that IP has not been configured (by the remote host) to be a
> peer.  (how strange is that?!)
> 
> Here is an email I recieved.  I cvsup'd this morning, rebuilt everything, 
> and did a final clean reboot before starting up the pgp jail.  I recieved 
> this email from one of my peer sites (the timestamps confirm this was 
> after starting the jail after rebuilding):
> 
> To: download at hpc.unm.edu
> Subject: PGP/nox again
> 
> 2004-02-13 10:52:01 Enabling gossip                                             
> 2004-02-13 10:52:02 Reconciliation attempt from unauthorized host 
> <ADDR_INET
> 129
> .24.244.72:2040>.  Ignoring                                                     
> 
> the host (nox) is 129.24.244.72, the jail (pgp) is 129.24.244.40.
> 
> On Fri, 13 Feb 2004, Robert Watson wrote:
> 
> > 
> > On Fri, 13 Feb 2004, Jim Prewett wrote:
> > 
> > > I run a PGP key server (SKS 1.0.6) inside of a jail.  However, my key
> > > server seems to be getting confused as to its IP address and is sending
> > > packets as the host environment (not as the jail environment). 
> > 
> > Could you show the output of sockstat as run in the host environment? 
> > Likewise, the output of ps ax.  I'd like to see what the socket is bound
> > to, as the theory goes that jail modifies the bind requests from the
> > process to set them to the IP in the jail. Either we have a bug in socket
> > handling, or the process isn't running in the jail. 
> 
> I'm really afraid I may have inadvertantly found a bug!  It is definantly
> in the jail environment (I've included the ps output below).  The SKS
> daemons definantly answer on the jail environment IP (i've included the 
> output of nmap against both the host and the jail below)!
> 
> here are the sockets related to the sks process:
> 
> nox# sockstat | grep sks
> root     sks        276    5 tcp4   129.24.244.40:11371   *:*                  
> root     sks        271    4 tcp4   129.24.244.40:11370   *:*                  
> root     sks        276    6 stream ./db_com_sock                              
> root     sks        271    5 stream ./recon_com_sock                
> 
> and sks processes:
> nox# ps ax | grep sks
>  5804  p2  S+     0:00.00 grep sks
>   271 con- S+J    0:03.29 sks recon
>   276 con- S+J    0:11.50 sks db
> 
> nmap of host (nox) and jail (pgp):
> 
> nox# nmap nox pgp  -p 11370-11371
> 
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-02-13 21:21 
> MST
> Interesting ports on nox.hpc.unm.edu (129.24.244.72):
> PORT      STATE  SERVICE
> 11370/tcp closed unknown
> 11371/tcp closed pksd
> 
> Interesting ports on pgp.hpc.unm.edu (129.24.244.40):
> PORT      STATE SERVICE
> 11370/tcp open  unknown
> 11371/tcp open  pksd
> 
> Nmap run completed -- 2 IP addresses (2 hosts up) scanned in 0.339 seconds
> 
> ifconfig from the host:
> nox# ifconfig -a
> fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
>         inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
>         inet6 fe80::2d0:b7ff:fe7f:f678%fxp0 prefixlen 64 scopeid 0x1 
>         ether 00:d0:b7:7f:f6:78
>         media: Ethernet autoselect (none)
>         status: no carrier
> vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 129.24.244.72 netmask 0xfffffc00 broadcast 129.24.247.255
>         inet6 fe80::210:dcff:fedf:1a01%vr0 prefixlen 64 scopeid 0x2 
>         inet 129.24.244.40 netmask 0xffffffff broadcast 129.24.244.40
>         ether 00:10:dc:df:1a:01
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>         inet6 ::1 prefixlen 128 
>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
>         inet 127.0.0.1 netmask 0xff000000 
> 
> ifconfig from the jail:
> pgp# ifconfig -a
> fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
>         ether 00:d0:b7:7f:f6:78
>         media: Ethernet autoselect (none)
>         status: no carrier
> vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 129.24.244.40 netmask 0xffffffff broadcast 129.24.244.40
>         ether 00:10:dc:df:1a:01
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> 
> If there is anything else that I can provide, please let me know.  I'm 
> *very* interested in resolving this.
> 
> Thanks,
> Jim
> 
> 

-- 
James Prewett                           OpenPGP key: pub  1024D/31816D93
Systems Team Leader		 	  Designated Security Officer
HPC Systems Engineer III @ HPC at UNM -- download at hpc.unm.edu Jim at Prewett.org

More information about the freebsd-stable mailing list