Bryan Fullerton
2005-Feb-28 21:27 UTC
bind() on 127.0.0.1 in jail: bound to the outside address?
I'd noticed this as well, but assumed it was a feature. Given that there's only one IP inside the jail, how do you bind to a loopback IP that doesn't exist? I suspect the behavior you're seeing is another 'simple hack' to allow binding to the loopback IP to not just immediately fail with "unable to bind". If this isn't documented somewhere (I didn't bother to check, it made sense to me once I figured out what it was doing) it should be. I have noticed that documentation of jail in the handbook in general is a bit lacking, maybe I'll see if I can find time to look at that (heh). Bryan On Tue, 1 Mar 2005 00:25:48 +0800, Xin LI <delphij@frontfree.net> wrote:> Dear folks, > > It seems that doing bind() inside a jail (whose IP address is an outside > address), will result in some wierd behavior, that the actual bind is > done on the outside address. > > For example, binding to 127.0.0.1:6666 inside a jail addressed 192.168.1.1, > will finally result in a bind to 192.168.1.1:6666. With this in mind, > it is possible that some formerly secure configuration fail in jail > environment. > > It seems that our implementation will forward every loopback connection > to the outside address. A simple hack to work around this issue might > be to modify the individual bind procedures to treat prison case with > loopback address, but I'm not sure if a true solution can solve the > issue with minimum code change and code complexity. > > Your ideas are highly appreciated! > > Cheers, > -- > Xin LI <delphij frontfree net> http://www.delphij.net/ > See complete headers for GPG key and other information. > > >
Dear folks, It seems that doing bind() inside a jail (whose IP address is an outside address), will result in some wierd behavior, that the actual bind is done on the outside address. For example, binding to 127.0.0.1:6666 inside a jail addressed 192.168.1.1, will finally result in a bind to 192.168.1.1:6666. With this in mind, it is possible that some formerly secure configuration fail in jail environment. It seems that our implementation will forward every loopback connection to the outside address. A simple hack to work around this issue might be to modify the individual bind procedures to treat prison case with loopback address, but I'm not sure if a true solution can solve the issue with minimum code change and code complexity. Your ideas are highly appreciated! Cheers, -- Xin LI <delphij frontfree net> http://www.delphij.net/ See complete headers for GPG key and other information. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050703/6be1aee4/attachment.bin
Michael Schuh
2005-Jul-04 11:16 UTC
bind() on 127.0.0.1 in jail: bound to the outside address?
Hello, in Jails you cannot bound any application to the 127.0.0.1, you ccan always bound only to the jail-ip. If you setup sshd in jail (or an other way to get a shell in this jail) so you can make the ifconfig -a so that you can see you have only the outbound address 192.168.1.1 ( the jail-ip) to bind services to that address. jou can not have more then one 127.0.0.1, because this address is viewable in the Host enviroment, but you can try to setting up 127.0.0.2 as second ipdadress of the lo-device and get these the jail, but you loose then the other ip ( i think, be not sure). try to set the second ip-address in rc.conf of the jail. best regards michael