Implications of allow_raw_sockets=1
Richard Noorlandt
lists.freebsd at gmail.com
Mon Jun 1 01:56:43 UTC 2009
2009/5/31 Justin G. <justin at sigsegv.ca>:
> Raw sockets can allow processes to sniff onto the network, craft
> malformed packets, execute DDoS attacks, inject packets, among other
> things.
These are basically things that any non-virtualized server could do on the
network. As such, disallowing raw sockets should give higher security than a
'normal' server running FreeBSD without a jail.
But does the use of raw sockets open up holes that could allow the root user
in a jail to break in on another jail? I'm particularly concerned in attack
vectors that wouldn't exist with multiple real hosts connected through a dumb
switch (which usually introduces all the risks you mentioned).
Best regards,
Richard
More information about the freebsd-jail
mailing list