jails, ipfilter & stunnel
Pawel Jakub Dawidek
nick at garage.freebsd.pl
Mon Jul 14 14:09:45 PDT 2003
On Mon, Jul 14, 2003 at 12:39:50PM -0400, V. Jones wrote:
+> >You can check my patch for multiple ips in jails which also fix
+> >sockets ordering behaviour.
+>
+> > For FreeBSD 4.x:
+> > http://garage.freebsd.pl/mijail.tbz
+> > http://garage.freebsd.pl/mijail.README
+> > For FreeBSD 5.1-CURRENT:
+> > http://garage.freebsd.pl/mijail5.tbz
+> > http://garage.freebsd.pl/mijail5.README
+> > http://garage.freebsd.pl/patches/mijail5.patch
+>
+> I have a feeling you're trying to tell me something important
+> but I'm not understanding. Is this a problem only with ssh or
+> with any server listening on a port? Does this problem occur
+> when you share an ip address between two jailed servers or does
+> it happen any time you use a jail? Would having ssh on a
+> different port on each jail avoid the problem?
No, because an attacker is able to spoof your daemons from main host or
other jails. Even if you're binded to a valid IP (not INADDR_ANY) there
could be always a chance to DoS existing daemon and reuse its port.
My advice is simple: every jail and main host should have its own IP address.
--
Pawel Jakub Dawidek pawel at dawidek.net
UNIX Systems Programmer/Administrator http://garage.freebsd.pl
Am I Evil? Yes, I Am! http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030714/9ead8fb7/attachment.bin
More information about the freebsd-security
mailing list