On Sun, 30 Nov 2008, Frank Behrens wrote:
Hi,
Bjoern A. Zeeb wrote:
On Thu, 27 Nov 2008, Frank Behrens wrote:
On the other side I still read in the patched jail(2) man page:
"Similarly, it might be a good idea to add an address alias flag such
that daemons listening on all IPs (INADDR_ANY) will not bind on that
address...". Can you explain the current behaviour?
I think this question is related to your PR kern/84215.
Yes.
The current situation is: jails take precendence. So if sshd is
listening on inaddr_any on the host and on inaddr_any inside a jail
the connection to an IP belonging to a jail will end up inside the
jail; any connections to IPs not beloning to jails will end up on the
base.
So we have now the desired behaviour. Your explanation should replace
the (now incorrect) sentence in the man page. Please excuse my error, it is
in jail(8),
not jail(2).
Obviously if you stop the jail and ssh to a former jail IP you'll end
up on the bsae system and ssh would complain about different keys
possibly while telnet or similar things won't notice.
This is expected and not easily to circumvent.
Yes it is. You don't bind your sshd (or whatever) to inaddr_any on the
base system but an IP exclusive to the base system. If the jail is
stopped, you'll get connection refused instead of an unexpected
behaviour. So what is in the man page is not entirely wrong.
/bz
--
Bjoern A. Zeeb Stop bit received. Insert coin for new game.
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
