kern/61483: Jail security is not honored using IP Filter
Andrew Kolchoogin
andrew at rinet.ru
Sat Jan 17 09:00:35 PST 2004
>Number: 61483
>Category: kern
>Synopsis: Jail security is not honored using IP Filter
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jan 17 09:00:29 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Andrew Kolchoogin
>Release: FreeBSD 4.9-RELEASE-p1 i386
>Organization:
Cronyx Plus LLC
>Environment:
System: FreeBSD mowgli.rinet.ru 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #3: Fri Dec 19 19:18:12 MSK 2003 andrew at mowgli.rinet.ru:/usr/src/sys/compile/UNIX i386
>Description:
Although there is no ability to see IP firewall rules set up using
FreeBSD 'standard' ipfw package, alternate firewall toolkit -- ipf -- doesn't
honor jail security: ipfstat -io/ipnat -l works fine even inside jail.
>How-To-Repeat:
1) Set up any jail:
mkdir /usr/jail
cd /usr/src
make buildworld
make DESTDIR=/usr/jail installworld
cd etc
make DESTDIR=/usr/jail distribution
2) Run shell inside jail:
jail /usr/jail localhost 127.0.0.1 /bin/tcsh
3) Start 'ipfstat' command:
ipfstat -io
And you will see all of your IP filter rules set up outside jail.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list