Re: Not getting an IPv6 in a jail
John Baldwin wrote: On Wednesday 02 September 2009 12:09:17 pm Doug Barton wrote: FLEURIOT Damien wrote: BIND's now happily running in its jail and responding to public queries. It's up to you if you choose to do it, but there is no reason to run BIND in a jail. The chroot feature provided by default by rc.d/named is quite adequate security. That is debatable. One of the chief benefits of a jail is that if a server is compromised so that an attacker can gain root access that root access is limited in what it can do compared to a simple chroot. That is true for any server you would run under a jail, not just BIND. On a strictly intellectual level I agree that jails are in some ways more limited than chroots. OTOH, named chroots by default into /var/named which has no binaries at all. The most interesting things in the chroot environment are /dev/null and /dev/random. Jails by nature have a more or less complete FreeBSD system available to the attacker. Also, in addition to being chroot'ed named runs by default as user 'bind' which is rather limited in what it can modify in the chroot. I realize that it's theoretically possible for an attacker to break out of a chroot environment, escalate their privileges, etc. I suppose my point is that if you're looking for things to tighten down on a FreeBSD system the default named configuration is not the first place I'd look. :) Doug ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Not getting an IPv6 in a jail
On Thu, Sep 3, 2009 at 7:04 AM, Mark Andrewsma...@isc.org wrote: In message 20090902160440.ga28...@sd-13813.dedibox.fr, FLEURIOT Damien writes : On Tue, Sep 01, 2009 at 08:15:24PM + or thereabouts, Bjoern A. Zeeb wrote : On Tue, 1 Sep 2009, Major Domo wrote: Hi, Apologies if this has been discussed already but I searched the web and the mailing lists and haven't found hints on my problem. I've got a jail, I assign it a set of IP addresses, and it just won't take the IP6 I give it. Uname: FreeBSD 7.2-STABLE jail_ns_ip=192.168.0.252,fe80::c0a8:fc jls -v: JID Hostname Path Name State CPUSetID IP Address(es) 23 [snip] /var/jail/ns ALIVE 2 192.168.0.252 fe80::c0a8:fc ifconfig lo252 from the host: lo252: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 inet 192.168.0.252 netmask 0x inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5 ifconfig from the jail: re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=389bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_ UCAST,WOL_MCAST,WOL_MAGIC ether 00:e0:f4:19:e9:d2 media: Ethernet autoselect (100baseTX full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 pflog0: flags=141UP,RUNNING,PROMISC metric 0 mtu 33204 lo252: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 inet 192.168.0.252 netmask 0x This is a rather special case. For link-local addresses you have to give the scope as well but it won't take the scope with the %lo252 notation but only in the KAME in-kernel syntax I would assume. Can you try: jail_ns_ip=192.168.0.252,fe80:5::c0a8:fc Note the added 5 in the second group of hex digits. That five is the interface index. I took it from the scopeid 0x5. In case your interface index changes you will need to adjust the address. I cannot say if it'll work but it would be worth a try. /bz -- Bjoern A. Zeeb What was I talking about and who are you again? Hi list, Bjoern, John, I confirm it is now working with the following line in /etc/rc.conf: jail_ns_ip=192.168.0.252,fec0:5::df:252 along with redirections in /etc/pf.conf: rdr pass log on $ext_if inet proto {tcp,udp} to $ext_if port 53 - $lo252_if port 53 rdr pass log on $ext_if inet6 proto {tcp,udp} to $ext_if port 53 - $lo252_if port 53 Notice the use of both the interface's index and a site-local ip6 address instead of the old fe80 as suggested. BIND's now happily running in its jail and responding to public queries. Perhaps a small addition to the jails entry in the Handbook to advise people about the use of IP6 addresses on loopback interfaces would be warranted ? I realize how lousy it is to NAT IP6 but my host assigns only 1 IP6 address per server. Then complain. There is no reason to be miserly with IPv6 addresses. True that. Or just sign up @HE. They can give you up to 4 tunnels w/ a /64 and a /48 (if you opt) for each of these 4 tunnels! All you hafta do is give them your contact info and a public IPv4 and it doesn't hafta be static --- there are tools to update their records.. Thanks for the help ! Regards -- Damien ___ freebsd-sta...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org -- cheers mars - Marie von Ebner-Eschenbach - Even a stopped clock is right twice a day. - http://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.html ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Not getting an IPv6 in a jail
FLEURIOT Damien wrote: BIND's now happily running in its jail and responding to public queries. It's up to you if you choose to do it, but there is no reason to run BIND in a jail. The chroot feature provided by default by rc.d/named is quite adequate security. Doug -- This .signature sanitized for your protection ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Not getting an IPv6 in a jail
In message 20090902160440.ga28...@sd-13813.dedibox.fr, FLEURIOT Damien writes : On Tue, Sep 01, 2009 at 08:15:24PM + or thereabouts, Bjoern A. Zeeb wrote : On Tue, 1 Sep 2009, Major Domo wrote: Hi, Apologies if this has been discussed already but I searched the web and the mailing lists and haven't found hints on my problem. I've got a jail, I assign it a set of IP addresses, and it just won't take the IP6 I give it. Uname: FreeBSD 7.2-STABLE jail_ns_ip=192.168.0.252,fe80::c0a8:fc jls -v: JID Hostname Path Name State CPUSetID IP Address(es) 23 [snip] /var/jail/ns ALIVE 2 192.168.0.252 fe80::c0a8:fc ifconfig lo252 from the host: lo252: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 inet 192.168.0.252 netmask 0x inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5 ifconfig from the jail: re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=389bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_ UCAST,WOL_MCAST,WOL_MAGIC ether 00:e0:f4:19:e9:d2 media: Ethernet autoselect (100baseTX full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 pflog0: flags=141UP,RUNNING,PROMISC metric 0 mtu 33204 lo252: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 inet 192.168.0.252 netmask 0x This is a rather special case. For link-local addresses you have to give the scope as well but it won't take the scope with the %lo252 notation but only in the KAME in-kernel syntax I would assume. Can you try: jail_ns_ip=192.168.0.252,fe80:5::c0a8:fc Note the added 5 in the second group of hex digits. That five is the interface index. I took it from the scopeid 0x5. In case your interface index changes you will need to adjust the address. I cannot say if it'll work but it would be worth a try. /bz -- Bjoern A. Zeeb What was I talking about and who are you again? Hi list, Bjoern, John, I confirm it is now working with the following line in /etc/rc.conf: jail_ns_ip=192.168.0.252,fec0:5::df:252 along with redirections in /etc/pf.conf: rdr pass log on $ext_if inet proto {tcp,udp} to $ext_if port 53 - $lo252_if port 53 rdr pass log on $ext_if inet6 proto {tcp,udp} to $ext_if port 53 - $lo252_if port 53 Notice the use of both the interface's index and a site-local ip6 address instead of the old fe80 as suggested. BIND's now happily running in its jail and responding to public queries. Perhaps a small addition to the jails entry in the Handbook to advise people about the use of IP6 addresses on loopback interfaces would be warranted ? I realize how lousy it is to NAT IP6 but my host assigns only 1 IP6 address per server. Then complain. There is no reason to be miserly with IPv6 addresses. Thanks for the help ! Regards -- Damien ___ freebsd-sta...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Not getting an IPv6 in a jail
On Tue, 1 Sep 2009, Major Domo wrote: Hi, Apologies if this has been discussed already but I searched the web and the mailing lists and haven't found hints on my problem. I've got a jail, I assign it a set of IP addresses, and it just won't take the IP6 I give it. Uname: FreeBSD 7.2-STABLE jail_ns_ip=192.168.0.252,fe80::c0a8:fc jls -v: JID Hostname Path Name State CPUSetID IP Address(es) 23 [snip] /var/jail/ns ALIVE 2 192.168.0.252 fe80::c0a8:fc ifconfig lo252 from the host: lo252: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 inet 192.168.0.252 netmask 0x inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5 ifconfig from the jail: re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=389bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC ether 00:e0:f4:19:e9:d2 media: Ethernet autoselect (100baseTX full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 pflog0: flags=141UP,RUNNING,PROMISC metric 0 mtu 33204 lo252: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 inet 192.168.0.252 netmask 0x This is a rather special case. For link-local addresses you have to give the scope as well but it won't take the scope with the %lo252 notation but only in the KAME in-kernel syntax I would assume. Can you try: jail_ns_ip=192.168.0.252,fe80:5::c0a8:fc Note the added 5 in the second group of hex digits. That five is the interface index. I took it from the scopeid 0x5. In case your interface index changes you will need to adjust the address. I cannot say if it'll work but it would be worth a try. /bz -- Bjoern A. Zeeb What was I talking about and who are you again? ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org