Re: jail && (ping && traceroute)
From: Pawel Jakub Dawidek (nick_at_garage.freebsd.pl)
Date: 05/31/03
- Previous message: Valentin Nechayev: "Re: gcc bug? Openoffice port impossibel to compile on 4.8"
- In reply to: Alexandr Kovalenko: "jail && (ping && traceroute)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 31 May 2003 09:44:08 +0200 To: Alexandr Kovalenko <never@nevermind.kiev.ua>
On Fri, May 30, 2003 at 05:35:42PM +0300, Alexandr Kovalenko wrote:
+> I have 2 questions:
+>
+> - where in code should I search for icmp socket binding prohibition in
+> jail?;
+> - what bad consequences will appear if I remove those checks and
+> prohibition?.
This is nasty to allow all jailed process to open RAW sockets.
You can use CerbNG to allow only selected jailed process to open RAW socket.
General policy is here:
http://cerber.sourceforge.net/policies/jailed-icmp.cb
but you can easly rewrite it to allow only selected process for this.
Project's page is here:
And rest of policies:
http://cerber.sourceforge.net/policies/
CerbNG works only on 4-STABLE systems for now and there will be soon
1.0-RC2 version, but I've started porting it to -CURRENT.
-- Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net
- application/pgp-signature attachment: stored
- Previous message: Valentin Nechayev: "Re: gcc bug? Openoffice port impossibel to compile on 4.8"
- In reply to: Alexandr Kovalenko: "jail && (ping && traceroute)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
