similar to: Jails and loopback interfaces

> I recently did something like this. I have a webserver in a jail that > needs to talk to a database, and the webserver is the only thing that > should talk to the databse. > My solution was to use 2 jails: one for the webserver, and another for the > database. > Jail 1: > * runs webserver > * binds to real interface with real, routable IP > Jail 2: > *

Hi guys. We have currently Asterisk CVS-v1-0-08/15/05-15:53:48 connected in SIP with a Cisco AS5300 (IOS 12.3). One PRI is connected to the Cisco gateway. The problem we have is that on incoming PSTN calls to the AS5300, relayed in SIP to Asterisk, the callerID name is not being transmitted. We received the callerID number but no name. I know we are receiving the name from the PRI in

``You do not want to overbuild your security or you will interfere with the detection side, and detection is one of the single most important aspects of any security mechanism. For example, it makes little sense to set the schg flag (see chflags(1)) on every system binary because while this may temporarily protect the binaries, it prevents an attacker who has broken in from making an easily

i am invoking op from a python proggy which does an op.system() of op chmod 640 /usr/local/etc/tac_plus.conf i get "Permission denied by op" % ls -l /usr/local/etc/op.access -r-------- 1 root wheel 149 Jan 13 07:41 /usr/local/etc/op.access % cat /usr/local/etc/op.access # 2007.01.13 # #DEFAULT users=src # chown /usr/sbin/chown $* ; users=src chmod /bin/chmod $* ; users=src

Hi all, I have two prodction servers with FreeBSD 5.4 (all security patches are applied). They running some services like dns, ssh, http, ftp, etc. But I woukd like to encrypt some services for some hosts with ipsec when it is accessed. For example: - DNS resolution: not encrypted. - DNS replication master-slave: encrypted by ipsec. - Telnet: encrypted by ipsec for some hosts. Deny

Hi, On isolinux's website, it is stated that: "NOTE: ISOLINUX will search for the config file directory in the order /boot/isolinux, /isolinux, /. The first directory that exists is used, even if it contains no files. Therefore, please make sure that these directories don't exist if you don't want ISOLINUX to use them." Why this limitation is present?? I'm trying

Hi, I have a share: [share] path = /appl/md/data valid users = +asd write list = +asd read only = No create mask = 0664 directory mask = 0775 And it has directories that have 3000 files in them, but when I look at the same directory thru a Windows 2000, I only see 1360 files, no more. If I type the path a file that isn't shown in the

Hi, I am trying to install Oracle 9i RAC on SLES 8 SP3 with a shared firewire disk. I am using the following OCFS: OCFS Release 1.0.11-1 for suse sp3 2.4.21-138 smp kernel ocfs-2.4.21-138-smp-1.0.11-1.i586.rpm ocfs-tools-1.0.10-1.i386.rpm ocfs-support-1.0.10-1.i386.rpm 1/ I have configured OCFS and a shared file system /opt/oracle/oradata 2/ I have created a raw device for use as quorum

I'm going to apply the ssh patch. Applying it to the "real" server seems straightforward enough, but I'm wondering what the right procedure is to apply this patch to my jailed servers.

FreeBSD-12.1p7 Samab-4.10.15 running in FreeBSD Jail I just wish to ensure that my conclusion respecting Samba, FreeBSD Jails, and NTP is correct. 1. Unless configured otherwise Windows domain clients will query and obtain their time from the samba_server DC. 2. Samba_server obtains its time from the OS, in this case a FreeBSD Jail. 3. FreeBSD Jails get their time from their host. 4. If

I'm setting up a server where I plan to use Jails to improve security I also have installed and am configuring ipfilter. Here are my questions: Because I'm using Jails, I will have to have multiple ip aliases on the network interface. I will use ipfilter to specify what can go to each of the addresses. (e.g., allow only incoming to port 80 on the jail running apache). Another

I read this (http://www.petur.eu/blog/?p=459) blog post today. It's about that a remote user with root privilegs to a FreeBSD jail & user privileges to the jails host machine can obtain root privileges on the host machine. Can someone confirm if this bugg/exploit works?

Hello all, I've been searching around and have come up with no current discussions on this issue. I'll keep it brief: In 7.0 or 7.1 is there any provision to have multiple IP addresses in a jail? I'm stumped on this, as I just started a new hosting project that needs a few jails. At least one of those requires multiple IPs, which is something I never really even realized was

Hello, I'm wondering about closing some information leaks in FreeBSD jails from the "outside world". Not that critical (depends on the application), but a simple user, with restricted devfs in the jail (devfsrules_jail for example from /etc/defaults/devfs.rules) can figure out the following: - network interfaces related data, via ifconfig, which contains everything, but the

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everyone, One quick question: Is it safe and/or sensible to rename the root account, so that the only uid 0 user on a system is something different to root? I can see how this would be effective against external attackers who have no knowledge of the internals of the system as they would spend pointless hours trying to crack a user which doesnt

I've got a server running FreeBSD 6.2 and PF. The server has a couple dozen jails on it. Previously, I had a few "private" services such as MySQL running on loopback IPs (127.0.0.2+) and the rest of the jails running on the public IPs. I have to renumber my machine with a new block of public IPs so I thought I'd be clever and move all the jails onto loopback IPs. Then

Although RAW sockets can be used when specifying the source address of packets (defeating one of the aspects of the jail) some people may find it usefull to use utilities like ping(8) or traceroute(8) from inside jails. Enclosed is a patch I have written which gives you the option of allowing prison-root to create raw sockets inside the prison, so

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear dovecot developers, first: thanks for this really cool imapd, on my server it serves some hundred domains, all in all some thousand users, some having hundred thousand mails in their Maildirs (their spam boxes mostly). Since I put this installation in an FreeBSD geli encrypted disc image I had no choice but to choose an imapd with clever

Good Day! I think we have a serious problem. One of our old server running FreeBSD 4.9 have been compromised and is now connected to an ircd server.. 195.204.1.132.6667 ESTABLISHED However, we still haven't brought the server down in an attempt to track the intruder down. Right now we are clueless as to what we need to do.. Most of our servers are running legacy operating systems(old

Hello, on 9.1-R, I highly appreciate the new jail(8) and jail.conf capabilities. Thanks for that extension! But I have one problem: If I want to stop a jail with 'jaill -r jailname', I get "umount: unmount of /.jail.jailname failed: Device busy" It seems to me that the order of fstab.jailname entries are not reverted by jail(8) when shutting down/umounting. My C skills