Hi Harald, > in a previous e-mail I described some problems with multihomed > jail-systems. But there is another general problem. > > INET > |-----------| | |---------| > | Box A | |----A---| | Box B | > |if0 if1| | Router | |----v----| > |-v-------v-| |-v----v-| | > | | DMZ | | | > | |-----|-----| | | > | | | > |------------------------|------------| > LAN > > If you look at the diagram you see Box A with two interfaces, if0 > (172.16.0.2) for 172.16/16 at the LAN and let's say 192.168.0.2 on if1 for > the DMZ (192.168.0/24). The IP(s) of if1 is(are) bound to jail(s)! > Now when I connect from BoxB(172.16.0.3) to a jail running on > BoxA(192.168.0.2) the outgoing packets go over the router into the DMZ. > But when I add a static route to BoxB which tells 192.168.0/24 172.16.0.2 > (BoxA if0) I can connect to the jail running on BoxA via the if0 > interface, even if I haven't enabled forwarding on BoxA. > This is a big security hole IMHO. > Should I file a PR for that? Both if0 IP addresses and if1 ones belongs to BoxA, the fact that the IP address assigned to if1 is bound to a jail does not care. In fact there could be processes outside of the jail which listens on 192.168.0.2. This is the intended behaviour. When BoxA receives a packet addressed to one of its IP address on some interface, whichever interface it is, the latter is accepted unless net.inet.ip.check_interface is set to 1. The fact that you set this route on BoxB just sets the destination MAC address of the packet destinated to 192.168.0.2 to if0's one. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >Received on Tue May 31 2005 - 12:30:45 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:35 UTC