Gregory (Grisha) Trubetskoy [2004-01-09 00:24 CET]: > > > On Thu, 8 Jan 2004, Herbert Poetzl wrote: > > > recently (end of december last year) somebody posted > > a mystic message to one of the german webhosting lists > > stating, that vserver is insecure, and that he would > > suggest not to use it (no details where given) ... > > > > it 'seems' that the poster was worried about the > > ability to sniff network packets from other vservers > > on the same host, when inside a vserver. > > Could he have been referring to CAP_NET_RAW? I saw a few docs suggesting > that it needs to be enabled in order for ping to work. IMHO that's not > very good advice, since it allows a vserver user to send all kinds of crap > from within vserver to the network. An evil creative mind could come up > with some way to jeopardize security/stability with raw net access.
It is possible to control this via hostsystem firewall. This seems to be not breakable from vserver. Just use the -s or -d parameter for vserver traffic on iptables. Frank. -- Frank Matthie� "My girlfriend asked me which one I like better - I hope the answer won't upset her." -- Sig von Dustin Sallings
signature.asc
Description: Digital signature
