unwanted packet forwarding / PR candidate?
Jeremie Le Hen
jeremie at le-hen.org
Tue May 31 07:30:45 PDT 2005
Hi Harald,
> in a previous e-mail I described some problems with multihomed
> jail-systems. But there is another general problem.
>
> INET
> |-----------| | |---------|
> | Box A | |----A---| | Box B |
> |if0 if1| | Router | |----v----|
> |-v-------v-| |-v----v-| |
> | | DMZ | | |
> | |-----|-----| | |
> | | |
> |------------------------|------------|
> LAN
>
> If you look at the diagram you see Box A with two interfaces, if0
> (172.16.0.2) for 172.16/16 at the LAN and let's say 192.168.0.2 on if1 for
> the DMZ (192.168.0/24). The IP(s) of if1 is(are) bound to jail(s)!
> Now when I connect from BoxB(172.16.0.3) to a jail running on
> BoxA(192.168.0.2) the outgoing packets go over the router into the DMZ.
> But when I add a static route to BoxB which tells 192.168.0/24 172.16.0.2
> (BoxA if0) I can connect to the jail running on BoxA via the if0
> interface, even if I haven't enabled forwarding on BoxA.
> This is a big security hole IMHO.
> Should I file a PR for that?
Both if0 IP addresses and if1 ones belongs to BoxA, the fact that the
IP address assigned to if1 is bound to a jail does not care. In fact
there could be processes outside of the jail which listens on
192.168.0.2. This is the intended behaviour.
When BoxA receives a packet addressed to one of its IP address on some
interface, whichever interface it is, the latter is accepted unless
net.inet.ip.check_interface is set to 1.
The fact that you set this route on BoxB just sets the destination MAC
address of the packet destinated to 192.168.0.2 to if0's one.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-current
mailing list