unwanted packet forwarding / PR candidate?

From: Harald Schmalzbauer <harry_at_schmalzbauer.de>
Date: Tue, 31 May 2005 09:34:32 +0200
Hello,

in a previous e-mail I described some problems with multihomed 
jail-systems. But there is another general problem.

                             INET
     |-----------|            |	        |---------|
     |  Box A    |       |----A---|     |  Box B  |
     |if0     if1|       | Router |     |----v----|
     |-v-------v-|       |-v----v-|          |
       |       |    DMZ    |    |            |
       |       |-----|-----|    |            |
       |                        |            |
       |------------------------|------------|
                    LAN

If you look at the diagram you see Box A with two interfaces, if0
(172.16.0.2) for 172.16/16 at the LAN and let's say 192.168.0.2 on if1 for 
the DMZ (192.168.0/24). The IP(s) of if1 is(are) bound to jail(s)!
Now when I connect from BoxB(172.16.0.3) to a jail running on 
BoxA(192.168.0.2) the outgoing packets go over the router into the DMZ. 
But when I add a static route to BoxB which tells 192.168.0/24 172.16.0.2 
(BoxA if0) I can connect to the jail running on BoxA via the if0 
interface, even if I haven't enabled forwarding on BoxA.
This is a big security hole IMHO.
Should I file a PR for that?

My particular problem now is that if I connect from BoxB to jail on BoxA 
the answering-packets won't go over the router but instead sent directly 
over the if0 back to the LAN. Any suggestions how to solve this? (fwd in 
IPFW and route-to in PF, but I think this should be handled by the system 
if jails are used).
Is it possible (by design of jailes) to implement a dedicated interface for 
a jail?

Thanks,

-Harry

Received on Tue May 31 2005 - 05:34:47 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:35 UTC