Mike Meyer <[EMAIL PROTECTED]> wrote: > In <[EMAIL PROTECTED]>, Dirk Engling <[EMAIL PROTECTED]> typed:
> > > The default configuration doesn't expose sendmail to the publicly > > > visible IP addres. The daemon it runs only listens for connections to > > > the localhost address. > > Which is rewritten to the jails (externally visible) address on a connect() > > Yup. I wasn't aware of that strange behavior of jails. That should be > fixed. Fixed how? Disallow jailed applications to connect to 127.0.0.1, and thus break most of them, or have them reach 127.0.0.1 on the host system and weaken the security? I think the "strange behaviour" makes sense and it certainly makes jailing servers easier. Because of the security aspect it's a good idea to have the jail run on a private IP address that's only reachable through packet filter and port forwarding anyway. Don't forward the ports you don't need and the "problem" is solved. > I think the better fix would be to make jails not expose their > localhost IP address to the outside world. Exactly. Fabian -- http://www.fabiankeil.de/
signature.asc
Description: PGP signature
