jails, ipfilter & stunnel
V. Jones
vjones62 at earthlink.net
Mon Jul 14 12:41:19 PDT 2003
>No, no, no!
>You first need to realize how kernel will choose listen socket.
>If you bind to port 22 on main host with INADDR_ANY, you get this
>INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY
>it will be translated to jail's ip. Now if there is open port outside
>jail and inside some jail it is opened as well, guess which socket will
>be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel
>translate them to jail's ip). So from security point of view if someone
>will break into your jail, he is able to spoof your sshd (let's forget
>for a moment about server keys), your mail server or anything >and get your password for example.
>You can check my patch for multiple ips in jails which also fix
>sockets ordering behaviour.
> For FreeBSD 4.x:
> http://garage.freebsd.pl/mijail.tbz
> http://garage.freebsd.pl/mijail.README
> For FreeBSD 5.1-CURRENT:
> http://garage.freebsd.pl/mijail5.tbz
> http://garage.freebsd.pl/mijail5.README
> http://garage.freebsd.pl/patches/mijail5.patch
I have a feeling you're trying to tell me something important
but I'm not understanding. Is this a problem only with ssh or
with any server listening on a port? Does this problem occur
when you share an ip address between two jailed servers or does
it happen any time you use a jail? Would having ssh on a
different port on each jail avoid the problem?
More information about the freebsd-security
mailing list