jails, ipfilter & stunnel

Pawel Jakub Dawidek nick at garage.freebsd.pl
Tue Jul 15 02:06:36 PDT 2003 

On Tue, Jul 15, 2003 at 09:12:53AM +0200, Uwe Doering wrote:
+> >My advice is simple: every jail and main host should have its own IP 
+> >address.
+> 
+> This is certainly the best solution, if you have multiple IP addresses 
+> at your disposal.  What I was trying to point out is that there is no 
+> _technical_ reason for separate IP addresses with regard to FreeBSD's 
+> jail implementation.  In cases where you cannot easily get additional IP 
+> addresses, on a rented server in a data center, for instance, running 
+> multiple jails on the same IP address (with the necessary safety 
+> precautions like binding daemons to IP addresses explicitly) is still 
+> far better than no jails at all.  The difference is that it takes at 
+> least some skill and insight into FreeBSD internals to compromise the 
+> system as a whole in the former case, while in the latter each and every 
+> script kiddy can take over your entire server in no time.

IMHO security solutions that are "harder to break", aren't security
solutions.

There is secure method, you can always use CerbNG:)

	http://cerber.sourceforge.net

Now you need to create such policy:

if (syscall == SYS_bind && isjailed() &&
    (getfamily(arg[1]) == AF_INET || getfamily(arg[1]) == AF_INET6)) {
	permit = 1;
	port = getport(arg[1]);
	host = getjailhost();
	if (host == "apache" && port != 80 && port != 443) {
		permit = 0;
	}
	if (host == "smtp" && port != 25) {
		permit = 0;
	}
	if (host == "pop3" && port != 110 && port != 995) {
		permit = 0;
	}
	if (!permit) {
		log(LOG_WARNING, "CerbNG: Process %s [pid=%u] from jail %s "
		    "is trying to bind to port %u!", pname, pid, host, port);
		return EPERM;
	}
}

Now processes jailed in prison with hostname "apache" could bind only
to port 80 or 443, etc.

-- 
Pawel Jakub Dawidek                       pawel at dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030715/c3685680/attachment.bin

More information about the freebsd-security mailing list