Mike Meyer <[EMAIL PROTECTED]> wrote: > In <[EMAIL PROTECTED]>, Fabian Keil <[EMAIL PROTECTED]> typed: > > Mike Meyer <[EMAIL PROTECTED]> wrote: > > > > > In <[EMAIL PROTECTED]>, Dirk Engling <[EMAIL PROTECTED]> typed: > > > > > > > The default configuration doesn't expose sendmail to the publicly > > > > > visible IP addres. The daemon it runs only listens for connections to > > > > > the localhost address. > > > > Which is rewritten to the jails (externally visible) address on a > > > > connect() > > > Yup. I wasn't aware of that strange behavior of jails. That should be > > > fixed. > > Fixed how? Disallow jailed applications to connect to 127.0.0.1, > > and thus break most of them, or have them reach 127.0.0.1 on the > > host system and weaken the security? > > > > > I think the better fix would be to make jails not expose their > > > localhost IP address to the outside world. > > Exactly.
I think I misunderstood what you where saying here, sorry. I assumed you meant the user should run the jail on one of the addresses in the 127.0.0.0/8 range, while you probably were suggesting jails should have their own localhost IP address that is different from their outside IP address? > Ok, I'm confused. Exactly how is fixing jails to not expose their > localhost IP address to the outside world not fixing this strange > behavior of jails? AFAICS jails currently have no localhost IP address they could expose. They have one IP address that is always visible from the host system, and conveniently jailed applications that try to bind to 127.0.0.1 get connected to the one jail IP address, instead of receiving an error or getting through to the host system's localhost. Fabian -- http://www.fabiankeil.de/
signature.asc
Description: PGP signature
