Implications of allow_raw_sockets=1
Justin G.
justin at sigsegv.ca
Sun May 31 22:10:30 UTC 2009
On Sun, May 31, 2009 at 11:49 AM, Richard Noorlandt
<lists.freebsd at gmail.com> wrote:
> Hello everyone,
>
> I have a server running FreeBSD 7.1-RELEASE, which contains a bunch of
> jails that run all kinds of network services. One of the jails is running
> Nagios, which will monitor hosts in the network. The most straightforward
> way to let Nagios decide if a host is up or down, is by pinging other
> hosts. However, by default this won't work because the
> security.jail.allow_raw_sockets sysctl is set to '0'.
>
> It would be nice if I was able to ping from the Nagios jail, but the risks
> of setting security.jail.allow_raw_sockets=1 aren't really clear to me.
> Some online searching suggests that the sysctl defaults to 0 because raw
> sockets weren't fully virtualized in earlier versions of FreeBSD, but maybe
> this has changed. Unfortunately I can't find a clear overview of the
> security risks involved with allowing raw sockets.
>
> So, what are the exact security implications of allowing raw sockets inside
> jails on FreeBSD 7.1? And is there a way to restrict raw sockets to
> specific jails?
>
> Best regards,
>
> Richard
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
>
At this time there is no way to set allow_raw_sockets on a per-jail basis.
Raw sockets can allow processes to sniff onto the network, craft
malformed packets, execute DDoS attacks, inject packets, among other
things.
More information about the freebsd-jail
mailing list