Closing information leaks in jails?
Pawel Malachowski
pawmal-posting at freebsd.lublin.pl
Fri Aug 19 08:48:22 GMT 2005
On Thu, Aug 18, 2005 at 10:44:42PM +0000, Nate Nielsen wrote:
> netstat works, but it limits itself to the jail pretty well. In
> particular 'netstat -r' and friends don't work. The normal 'netstat -a'
> only shows connections to the current jail. It does show the output from
> 'netstat -m' and those sort of things, but those say nothing over the
> network load of the current machine.
One can use bmon application in jail to graph network activity in real time,
for example:
% sysctl -a | grep jail
security.jail.set_hostname_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.sysvipc_allowed: 0
security.jail.getfsstatroot_only: 1
security.jail.allow_raw_sockets: 0
security.jail.chflags_allowed: 0
security.jail.jailed: 1
% id
uid=11226(pawmal) gid=10999(pawmal) groups=10999(pawmal)
% bmon
# Interface RX Rate RX # TX Rate TX #
....................................................................................
xxx (source: local)
0 fxp0 1.29KiB 23 32.51KiB 34
1 lo0 442.00B 2 442.00B 2
2 vlan3 660.00B 11 32.40KiB 27
3 vlan4 419.00B 5 0.00B 0
4 vlan6 0.00B 0 0.00B 0
5 vlan9 0.00B 0 0.00B 0
--
Paweł Małachowski
More information about the freebsd-security
mailing list