unwanted packet forwarding / PR candidate?
Harald Schmalzbauer
harry at schmalzbauer.de
Tue May 31 00:34:48 PDT 2005
Hello,
in a previous e-mail I described some problems with multihomed
jail-systems. But there is another general problem.
INET
|-----------| | |---------|
| Box A | |----A---| | Box B |
|if0 if1| | Router | |----v----|
|-v-------v-| |-v----v-| |
| | DMZ | | |
| |-----|-----| | |
| | |
|------------------------|------------|
LAN
If you look at the diagram you see Box A with two interfaces, if0
(172.16.0.2) for 172.16/16 at the LAN and let's say 192.168.0.2 on if1 for
the DMZ (192.168.0/24). The IP(s) of if1 is(are) bound to jail(s)!
Now when I connect from BoxB(172.16.0.3) to a jail running on
BoxA(192.168.0.2) the outgoing packets go over the router into the DMZ.
But when I add a static route to BoxB which tells 192.168.0/24 172.16.0.2
(BoxA if0) I can connect to the jail running on BoxA via the if0
interface, even if I haven't enabled forwarding on BoxA.
This is a big security hole IMHO.
Should I file a PR for that?
My particular problem now is that if I connect from BoxB to jail on BoxA
the answering-packets won't go over the router but instead sent directly
over the if0 back to the LAN. Any suggestions how to solve this? (fwd in
IPFW and route-to in PF, but I think this should be handled by the system
if jails are used).
Is it possible (by design of jailes) to implement a dedicated interface for
a jail?
Thanks,
-Harry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20050531/1d65e83f/attachment.bin
More information about the freebsd-current
mailing list