>> Ernie Luzar wrote: >> Considering we have had ipfw/vimage/netgraph jails for several years I'd >> be interested in your data sources. > > The source is personal experience. Tested 9.3 & 10.0 with ipfw running > in vnet/vimage jails. At that time ipfw was logging to the host and not > to the vimage jail. Definitely a security violation.
Kernel logging in general, not just for ipfw, is something that really should not propagate to jails but does. > You know I give you a lot of credit for risking things on vnet/vimage > jails in your shop. Most management just wouldn't take that risk. Wasn't me but the engineers here before me. My personal preference is for non-vimage jails, at least where the networking makes sense, Prefs aside we do have many vimage/netgraph/ipfw systems working well in the lab and field (of production high-volume financial applications). >> the scripts in head/share/examples/jails/ are at least helpful. > > I checked out those examples. Hardly any comments about what is > happening or why their being done. All they are is a starting point to > experiment doing trial and error testing The j?? scripts aren't meant as documentation but for easy of setup, to be called from /etc/jail.conf with a straightforward set of parameters. Agreed documentation here is still wholly insufficient. > I disagree with you about the security issue of using localhost. Running > sendmail in a non-vimage jail using its default config listening on > localhost is still contained in the jail. Localhost is internally > converted to the jails assigned ip address by jail(8). How is anything listening on localhost internally converted yet still contained in the jail? I mean what is the mechanism and why sendmail but not other daemons? > Why do you think this is a non-trivial security issue? telnet $jail 25 ehlo ... mail from: <...> rcpt to: <...> data Sendmail has never been a relatively secure app and DOS/DDOS and spam are vulnerabilities but point taken. Problem is the localhost to external mapping impacts not just sendmail but named, postfix and anything else listing on 127.0.0.1. > My time for playing around is very limited. I'll wait for 11.0 to be > published and see what the "release notes" say about vimage and the > firewalls becoming vimage aware. Also will be checking the closed bugs > for vimage to see what has been fixed. I have tested 11-CURRENT non-vimage, netgraph and if_bridge jails using iperf3 and not yet been able to trigger a crash. YMMV of course as the two bridging technologies do need far more substantial QA if we don't want to continue leaving this point strictly to Linux advocates. > I do hope vnet/vimage has finally become of age and reliable for > production like the non-vimage jails have become. More reliable, better documented AND simpler would be ideal. I believe the crux is A) in the code's complexity and readability, B) inherit difficulties of testing and of course C) funding. Roger _______________________________________________ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
