Re: unwanted packet forwarding / PR candidate?

From: Jeremie Le Hen <jeremie_at_le-hen.org>
Date: Tue, 31 May 2005 16:30:37 +0200
Hi Harald,

> in a previous e-mail I described some problems with multihomed 
> jail-systems. But there is another general problem.
> 
>                              INET
>      |-----------|            |         |---------|
>      |  Box A    |       |----A---|     |  Box B  |
>      |if0     if1|       | Router |     |----v----|
>      |-v-------v-|       |-v----v-|          |
>        |       |    DMZ    |    |            |
>        |       |-----|-----|    |            |
>        |                        |            |
>        |------------------------|------------|
>                     LAN
> 
> If you look at the diagram you see Box A with two interfaces, if0
> (172.16.0.2) for 172.16/16 at the LAN and let's say 192.168.0.2 on if1 for 
> the DMZ (192.168.0/24). The IP(s) of if1 is(are) bound to jail(s)!
> Now when I connect from BoxB(172.16.0.3) to a jail running on 
> BoxA(192.168.0.2) the outgoing packets go over the router into the DMZ. 
> But when I add a static route to BoxB which tells 192.168.0/24 172.16.0.2 
> (BoxA if0) I can connect to the jail running on BoxA via the if0 
> interface, even if I haven't enabled forwarding on BoxA.
> This is a big security hole IMHO.
> Should I file a PR for that?

Both if0 IP addresses and if1 ones belongs to BoxA, the fact that the
IP address assigned to if1 is bound to a jail does not care.  In fact
there could be processes outside of the jail which listens on
192.168.0.2.  This is the intended behaviour.
When BoxA receives a packet addressed to one of its IP address on some
interface, whichever interface it is, the latter is accepted unless
net.inet.ip.check_interface is set to 1.

The fact that you set this route on BoxB just sets the destination MAC
address of the packet destinated to 192.168.0.2 to if0's one.


Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
Received on Tue May 31 2005 - 12:30:45 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:35 UTC