nmap and Nessus in a jail -- scans fail
Erik Osterholm
freebsd-lists-erik at erikosterholm.org
Tue Oct 14 15:07:39 PDT 2008
Hi all,
Running 7.0-RELEASE-p2, I set up a jail from which to perform NMAP and
Nessus scans. I set the sysctl security.jail.allow_raw_sockets=1,
which I expected to prevent any problems. Unfortunately, I'm getting
this whenever I try to NMAP:
$ sudo nmap -P0 localhost
Starting Nmap 4.76 ( http://nmap.org ) at 2008-10-14 16:56 CDT
WARNING: Unable to find appropriate interface for system route to
xxx.xx.xx.xx
WARNING: Unable to find appropriate interface for system route to
127.0.0.1
nexthost: failed to determine route to 127.0.0.1
QUITTING!
Nessus scans fail shortly after being started if port scanning is
enabled. If port scanning is disabled, the vulnerability scan
succeeds. Identical configurations outside of a jail work just fine,
which lead me to believe that the Nessus and NMAP issues are related
to the processes being jailed.
$ sysctl -a | grep jail
security.jail.jailed: 1
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 1
security.jail.allow_raw_sockets: 1
security.jail.enforce_statfs: 2
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
Anyone have any hope for me?
Erik
More information about the freebsd-questions
mailing list