jail && (ping && traceroute)

Pawel Jakub Dawidek nick at garage.freebsd.pl
Sat May 31 00:38:47 PDT 2003


On Fri, May 30, 2003 at 05:35:42PM +0300, Alexandr Kovalenko wrote:
+> I have 2 questions:
+> 
+>  - where in code should I search for icmp socket binding prohibition in
+>    jail?;
+>  - what bad consequences will appear if I remove those checks and
+>    prohibition?.

This is nasty to allow all jailed process to open RAW sockets.
You can use CerbNG to allow only selected jailed process to open RAW socket.
General policy is here:

	http://cerber.sourceforge.net/policies/jailed-icmp.cb

but you can easly rewrite it to allow only selected process for this.

Project's page is here:

	http://cerber.sourceforge.net

And rest of policies:

	http://cerber.sourceforge.net/policies/

CerbNG works only on 4-STABLE systems for now and there will be soon
1.0-RC2 version, but I've started porting it to -CURRENT.

-- 
Pawel Jakub Dawidek                       pawel at dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20030531/92ea2e6d/attachment.bin


More information about the freebsd-hackers mailing list