jail && (ping && traceroute)
Pawel Jakub Dawidek
nick at garage.freebsd.pl
Sat May 31 00:38:47 PDT 2003
On Fri, May 30, 2003 at 05:35:42PM +0300, Alexandr Kovalenko wrote:
+> I have 2 questions:
+>
+> - where in code should I search for icmp socket binding prohibition in
+> jail?;
+> - what bad consequences will appear if I remove those checks and
+> prohibition?.
This is nasty to allow all jailed process to open RAW sockets.
You can use CerbNG to allow only selected jailed process to open RAW socket.
General policy is here:
http://cerber.sourceforge.net/policies/jailed-icmp.cb
but you can easly rewrite it to allow only selected process for this.
Project's page is here:
http://cerber.sourceforge.net
And rest of policies:
http://cerber.sourceforge.net/policies/
CerbNG works only on 4-STABLE systems for now and there will be soon
1.0-RC2 version, but I've started porting it to -CURRENT.
--
Pawel Jakub Dawidek pawel at dawidek.net
UNIX Systems Programmer/Administrator http://garage.freebsd.pl
Am I Evil? Yes, I Am! http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20030531/92ea2e6d/attachment.bin
More information about the freebsd-hackers
mailing list