Re: [fbsd] Re: jail addresses and default bindings

From: Gergely CZUCZY <phoemix@xxxxxxxxxxx>
Date: Wed, 27 Dec 2006 17:01:02 +0100

On Wed, Dec 27, 2006 at 04:56:38PM +0100, Jeremie Le Hen wrote:

On Sat, Dec 16, 2006 at 10:13:00AM +0000, Bjoern A. Zeeb wrote:

this way it's hard to distingvish in a packet filter(let's say pf),
among connections originating from within the jail itself or
from the host system to the jail.

I won't ask why you would want to do that if you control it
from the "host" system anyway...

Additionally, ipfw(8) has the "jail" keyword, though it is easier to
work with IP addresses since jail ids are bumped whenever you restart
a jail.

yes, i know. but it's not just the packet filter itself.
this way i cannot make separate access control rules in
PostgreSQLs configuration file which treats differently
injail and host system connections, since both have the
same originating IP address.

i was pointed out to use sshd_config's bind directive, and
netcat's -s, but in most client libraries i don't have this
flexibility. clients tend to bind to IPADDR_ANY and leave the
details to the IP stack itself. they just need to connect, doesn't
select IP addresses to bind to.
libpq (postgres's client library) doesn't offer this flexilbity,
nor any other client libs i know at the moment. you cannot even
configure a web broser(links, opera, firefox, etc) and tell it
to which IPs it can use for browsing proposes and which ones are
out of it's limits (for an example some addresses are held for jails).

Bye,

Gergely Czuczy
mailto: gergely.czuczy@xxxxxxxxxxx

--
Weenies test. Geniuses solve problems that arise.

Attachment: pgpqeXPuUNxzq.pgp
Description: PGP signature

References:
- jail addresses and default bindings
  - From: Gergely CZUCZY
- Re: jail addresses and default bindings
  - From: Bjoern A. Zeeb
- Re: [fbsd] Re: jail addresses and default bindings
  - From: Jeremie Le Hen

Prev by Date: Re: [fbsd] Re: jail addresses and default bindings
Next by Date: BIND running setuid with interface changes
Previous by thread: Re: [fbsd] Re: jail addresses and default bindings
Next by thread: UDP lite for FreeBSD
Index(es):
- Date
- Thread

Relevant Pages

Re: strange pw behaviour
... Did you add the users/groups to the jail, ... that the group file you added this to is the same group file that is being ... For example, if you have a user "wmoran" with uid 1501 in the host system, ... it seems smarter to keep jailed filesystems completely ...
(freebsd-questions)
Re: freebsd jail: web and database server config questions
... and database server. ... therefore running the webserver in the jailed environment seems better to ... tcp/ip to the database server running on the host system? ... basically that means I would need to create a new jail everytime I recompile ...
(freebsd-questions)
RE: Managing updates in jails
... after having mount_nullfs'd /usr/ports from the host system ... Subject: Managing updates in jails ... I'm a recent convert to FreeBSD, mainly because of the jail ... then repeating the process inside the template jail. ...
(freebsd-questions)
Re: strange pw behaviour
... For example, on one of my jail systems, I have ... I'm using pw from the host system, ... All group names are displayed right, according to the entries ... resulted in 7 directories showing and only 3 showing Permission denied. ...
(freebsd-questions)
Re: HEADSUP: Filesystem rototiling over
... the host system: let's say we have a jail called "named". ... The following patch nullifies the previous one, ... When the first one is made true, then rc.d/jail will mount (resp. ...
(freebsd-current)