similar to: Closing information leaks in jails?

Hi, IP traffic from one jail to another jail, arrives on destination jail on lo0 having the destination jails IP as source IP. Why not the source jail's IP address? How can I filter traffic from one jail to another, using ipfw of ipf? Cheers, -- Anders.

Hi all, I am looking at securing a web server using the FreeBSD MAC Framework. To make things clear I will call the hosted users "web users". Those are the issues I am dealing with: ** Network Security ** - Web users shouldn't be able to connect to reserved local ports apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) Solution: run the web server and web users shell in

Hello, I have some jails running on ZFS, so I have to mount devfs's into them. For this purpose, I have some similar lines in /etc/fstab: devfs /pool/jail/ldap/dev devfs rw 0 0 Where /pool is a ZFS filesystem. This has worked until today -when I upgraded from a previous 7-STABLE (FreeBSD 7.0-STABLE #16: Fri Mar 7 14:30:08 CET 2008) to today's STABLE- but not

Hi, On 05/04/15 10:59, Timo Sirainen wrote: > On 28 Apr 2015, at 23:49, Nagy, Attila <bra at fsn.hu> wrote: >> Hi, >> >> imapc does a lot of UID FETCH $UID (BODY.PEEK[]), which is nice, because it works even with the dumbest IMAP server, altough it really kills performance, especially on high latency lines. >> >> I wonder: if IMAP servers can effectively

On 09/11/2017 10:42 AM, Sami Ketola wrote: >> On 11 Sep 2017, at 11.24, Nagy, Attila <bra at fsn.hu> wrote: >> I use dovecot with a broken IMAP server (which doesn't properly implement command pipelining amongst others) as an imapc backend. >> Dovecot issues the above command sequence (SELECT and UID FETCH pipelined), which doesn't work with this server. >>

Hi, Running: Freebsd 6.0 I am wondering if it is possible to have acces to loopback ip in a jail. I currently have a server running a jail. In the jail, there is a database and a web server. I would like to be able to have the database only bind on a loopback address and not on the jail's ip. Can this be done and how? Thanks -Cyril

On 09/11/2017 11:14 AM, Aki Tuomi wrote: > > On 11.09.2017 11:59, Nagy, Attila wrote: >> On 09/11/2017 10:42 AM, Sami Ketola wrote: >>>> On 11 Sep 2017, at 11.24, Nagy, Attila <bra at fsn.hu> wrote: >>>> I use dovecot with a broken IMAP server (which doesn't properly >>>> implement command pipelining amongst others) as an imapc backend.

On 09/11/2017 09:17 AM, Aki Tuomi wrote: > > On 08.09.2017 15:29, Nagy, Attila wrote: >> On 09/08/2017 01:53 PM, Aki Tuomi wrote: >>> On 08.09.2017 14:50, Nagy, Attila wrote: >>>> Hi, >>>> >>>> I've a broken IMAP server, which doesn't support pipelining and fails >>>> on dovecot's attempt to do this ([C] is

On 08 Feb 2016, at 12:56, Nagy, Attila <bra at fsn.hu> wrote: > > On 02/08/16 11:16, Timo Sirainen wrote: >> Oh, you were thinking about ability to provide IMAP/etc support for other random servers, and have Dovecot act as kind of a middleware and translate the requests. Maybe the answer is still jmap though? It would require jmap lib-storage backend similar to imapc, which

Hi. Is there a 802.1x implementation (client and server) for FreeBSD -STABLE? Sam -- Samuel Tardieu -- sam@rfc1149.net -- http://www.rfc1149.net/sam

> On 08 Feb 2016, at 11:59, Timo Sirainen <tss at iki.fi> wrote: > > On 08 Feb 2016, at 11:01, Nagy, Attila <bra at fsn.hu> wrote: >> >> Hi, >> >> Nearly every popular programming language has an LMTP/POP/IMAP implementation, most of them suck in many different ways. >> I don't know any server or library which provides a well-established,

Hi, This is a capture from an imapc client session (which is triggered by a message, received via LMTP): * OK [CAPABILITY IMAP4rev1 NAMESPACE] Ready 2 LOGIN "uid" "pass" 2 OK LOGIN succeeded 1 LIST "" "" * LIST (\Noselect) "/" "" 1 OK LIST completed 3 APPEND "INBOX" {568} + Ready for 568 octets of data [...] 3 OK APPEND

Hi, imapc does a lot of UID FETCH $UID (BODY.PEEK[]), which is nice, because it works even with the dumbest IMAP server, altough it really kills performance, especially on high latency lines. I wonder: if IMAP servers can effectively handle boundless fetches (like a list with all wanted UIDs, or simply 1:* if all are needed), do you see this as a good addition to develop? This could be a

This message was sent to bugtraq today: While playing around with FreeBSD 5.4 and jailing I discovered that it was possible to put an ethernet interface into promiscious mode from within the jailed environment, allowing a packetsniffer to gather data not meant for the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x This can be reproduced on boxes where BPF support is

Hi, Nearly every popular programming language has an LMTP/POP/IMAP implementation, most of them suck in many different ways. I don't know any server or library which provides a well-established, compatible protocol frontend with an open backend API, which could be used to easily make a custom storage backend for the LMTP/POP/IMAP frontend in any language, in any programming paradigm,

On 09/08/2017 01:53 PM, Aki Tuomi wrote: > > On 08.09.2017 14:50, Nagy, Attila wrote: >> Hi, >> >> I've a broken IMAP server, which doesn't support pipelining and fails >> on dovecot's attempt to do this ([C] is dovecot's imapc, [S] is the >> IMAP server): >> >> [C] 24 LOGIN "user" "pass" >> [S] 23 OK

I'm going to apply the ssh patch. Applying it to the "real" server seems straightforward enough, but I'm wondering what the right procedure is to apply this patch to my jailed servers.

I read this (http://www.petur.eu/blog/?p=459) blog post today. It's about that a remote user with root privilegs to a FreeBSD jail & user privileges to the jails host machine can obtain root privileges on the host machine. Can someone confirm if this bugg/exploit works?

Howdy! I'm not sure if this is actually an issue, feature or a bug, but I have found that inside a jail, the jailed root user is able to sniff traffic (and enable promiscuous mode) on at least the interface of the IP address the jail is attached to. I have not found any documentation explaining if this should occur or not, but I feel it is something that should at least be known to those

On 09/23/2016 08:05 AM, Aki Tuomi wrote: > On 29.07.2016 15:35, Nagy, Attila wrote: >> I use pass and userdb with dict protocol in a similar way: >> >> key passdb { >> key = passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol: >> %s^MClient-IP: %r >> format = json >> } >> >> (^M is an \r character, inserted with vi CTRL-v + enter)