On Wed, Dec 27, 2006 at 04:56:38PM +0100, Jeremie Le Hen wrote: > On Sat, Dec 16, 2006 at 10:13:00AM +0000, Bjoern A. Zeeb wrote: > > >this way it's hard to distingvish in a packet filter(let's say pf), > > >among connections originating from within the jail itself or > > >from the host system to the jail. > > > > I won't ask why you would want to do that if you control it > > from the "host" system anyway... > > Additionally, ipfw(8) has the "jail" keyword, though it is easier to > work with IP addresses since jail ids are bumped whenever you restart > a jail. yes, i know. but it's not just the packet filter itself. this way i cannot make separate access control rules in PostgreSQLs configuration file which treats differently injail and host system connections, since both have the same originating IP address.
i was pointed out to use sshd_config's bind directive, and netcat's -s, but in most client libraries i don't have this flexibility. clients tend to bind to IPADDR_ANY and leave the details to the IP stack itself. they just need to connect, doesn't select IP addresses to bind to. libpq (postgres's client library) doesn't offer this flexilbity, nor any other client libs i know at the moment. you cannot even configure a web broser(links, opera, firefox, etc) and tell it to which IPs it can use for browsing proposes and which ones are out of it's limits (for an example some addresses are held for jails). Bye, Gergely Czuczy mailto: [EMAIL PROTECTED] -- Weenies test. Geniuses solve problems that arise.
pgpk2zgPc2z8h.pgp
Description: PGP signature