Hello, in a previous e-mail I described some problems with multihomed jail-systems. But there is another general problem. INET |-----------| | |---------| | Box A | |----A---| | Box B | |if0 if1| | Router | |----v----| |-v-------v-| |-v----v-| | | | DMZ | | | | |-----|-----| | | | | | |------------------------|------------| LAN If you look at the diagram you see Box A with two interfaces, if0 (172.16.0.2) for 172.16/16 at the LAN and let's say 192.168.0.2 on if1 for the DMZ (192.168.0/24). The IP(s) of if1 is(are) bound to jail(s)! Now when I connect from BoxB(172.16.0.3) to a jail running on BoxA(192.168.0.2) the outgoing packets go over the router into the DMZ. But when I add a static route to BoxB which tells 192.168.0/24 172.16.0.2 (BoxA if0) I can connect to the jail running on BoxA via the if0 interface, even if I haven't enabled forwarding on BoxA. This is a big security hole IMHO. Should I file a PR for that? My particular problem now is that if I connect from BoxB to jail on BoxA the answering-packets won't go over the router but instead sent directly over the if0 back to the LAN. Any suggestions how to solve this? (fwd in IPFW and route-to in PF, but I think this should be handled by the system if jails are used). Is it possible (by design of jailes) to implement a dedicated interface for a jail? Thanks, -Harry
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:35 UTC