Herbert Poetzl wrote:
On Thu, Mar 17, 2005 at 03:49:53PM +0100, Ulrich Weber wrote:Is it possible to send packets with other IPs than the of the origin vserver?
Well you could do as normal user all the things ICMP is good for. See http://www.faqs.org/docs/iptables/icmptypes.html for all types.
This could be Source redirection. However that should be disabled on most systems for security reasons.
Thats IMHO the only thing evil users good do. All other ICMP types make no sense, because the user is not
able to sniff the packets and therefore can not "react" to incoming packets with custom ICMP replys.
what about various DoS and DDoS things like sending host unreachable for the 'neighbour' vserver's ip ...
Should/Can this not be disabled by the vserver patch generally ?
Yeah thats exactly the problem wit my vserver provider. They enabled this to use ping on all vserverI would recommend to use this as default behavior. For high security you could disable this feature and for low
security you could enable the CAP_NET_RAW mode.
carefully, CAP_NET_RAW gives you the ability to sniff all kinds of traffic too ...
because more customers cared about ping than about sniffing the traffic...
You also have to consider that normally users on vservers are trusted so its not really a multi-user environment.
hmm, they are? ;)
Yeah, who wants this should rent a dedicated server ;) _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
