unwanted packet forwarding / PR candidate?

• Previous message: Kövesdán Gábor: "Error whlie making release"
• Next in thread: Jeremie Le Hen: "Re: unwanted packet forwarding / PR candidate?"
• Reply: Jeremie Le Hen: "Re: unwanted packet forwarding / PR candidate?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: freebsd-current@freebsd.org
Date: Tue, 31 May 2005 09:34:32 +0200

Hello,

in a previous e-mail I described some problems with multihomed
jail-systems. But there is another general problem.

                             INET
     |-----------| | |---------|
     | Box A | |----A---| | Box B |
     |if0 if1| | Router | |----v----|
     |-v-------v-| |-v----v-| |
       | | DMZ | | |
       | |-----|-----| | |
       | | |
       |------------------------|------------|
                    LAN

If you look at the diagram you see Box A with two interfaces, if0
(172.16.0.2) for 172.16/16 at the LAN and let's say 192.168.0.2 on if1 for
the DMZ (192.168.0/24). The IP(s) of if1 is(are) bound to jail(s)!
Now when I connect from BoxB(172.16.0.3) to a jail running on
BoxA(192.168.0.2) the outgoing packets go over the router into the DMZ.
But when I add a static route to BoxB which tells 192.168.0/24 172.16.0.2
(BoxA if0) I can connect to the jail running on BoxA via the if0
interface, even if I haven't enabled forwarding on BoxA.
This is a big security hole IMHO.
Should I file a PR for that?

My particular problem now is that if I connect from BoxB to jail on BoxA
the answering-packets won't go over the router but instead sent directly
over the if0 back to the LAN. Any suggestions how to solve this? (fwd in
IPFW and route-to in PF, but I think this should be handled by the system
if jails are used).
Is it possible (by design of jailes) to implement a dedicated interface for
a jail?

Thanks,

-Harry

• application/pgp-signature attachment: stored

• Previous message: Kövesdán Gábor: "Error whlie making release"
• Next in thread: Jeremie Le Hen: "Re: unwanted packet forwarding / PR candidate?"
• Reply: Jeremie Le Hen: "Re: unwanted packet forwarding / PR candidate?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: unwanted packet forwarding / PR candidate? ... > interface, even if I haven't enabled forwarding on BoxA. ... Both if0 IP addresses and if1 ones belongs to BoxA, ... When BoxA receives a packet addressed to one of its IP address on some ... (freebsd-current) Re: jails and multple interfaces ... The server has two network interfaces, I am configuring one for host ... the jail servers. ... IP on the first interface. ... I want to segregate the jail and jail host traffic on separate interfaces. ... (freebsd-stable) Possible security issue with FreeBSD 5.4 jailing and BPF ... While playing around with FreeBSD 5.4 and jailing I discovered that it was ... and a BPF device is available in the jail ... "The Berkeley Packet Filter provides a raw interface to data link layers ... The ethernet interface of the host is not in promiscious mode. ... (Bugtraq) [Full-disclosure] Possible security issue with FreeBSD 5.4 jailing and BPF ... While playing around with FreeBSD 5.4 and jailing I discovered that it was ... and a BPF device is available in the jail ... "The Berkeley Packet Filter provides a raw interface to data link layers ... The ethernet interface of the host is not in promiscious mode. ... (Full-Disclosure) [ronvdaal@zarathustra.linux666.com: Possible security issue with FreeBSD 5.4 jailing and BPF] ... While playing around with FreeBSD 5.4 and jailing I discovered that it was ... and a BPF device is available in the jail ... "The Berkeley Packet Filter provides a raw interface to data link layers ... Now starting tcpdump in the jail: ... (FreeBSD-Security)