Jail resource limits
Geoffroy DESVERNAY
dgeo at ec-marseille.fr
Mon May 26 06:15:59 UTC 2008
>> come back the same way
>>
>> I still don't know if this behaviour is the better one (one may think
>> that jail's packets should not go through different interface ?), but =
it
>> works quite well ;)
>=20
> Surely that compromises jail security i.e. being able to access
> resources from the host box even it the jail has no perceivable
> access to them?
>=20
It have to be took in consideration before production time at least ;)
> I assume this still doesn't work if the server is in fact run on
> the main host only running on localhost?
>=20
I think the main host is never 'only' on localhost, since you must add
interfaces and addresses for the different jails it hosts, and those
interfaces are used by host's routing table...
The IP addresses you use for jails are usable by main host, and routing
table of main host is used to route jail's packets... so any jail you
host can use any other jail's route. (if you have only localhost on main
an *only one* interface for all jour jails, it doesn't hurt).
In our case, one of our jail host is using pf's 'route-to' to re-route
packets going to 'forbidden' interface from jails.
Regards,
--=20
Geoffroy Desvernay
Ecole Centrale de Marseille
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20080526/7de9a1e6/signature.pgp
More information about the freebsd-jail
mailing list