On 15/10/2020 9:00 am, carlos antonio neira bustos wrote: > Hello, > > I have currently a patch in review with jamie which is the current jail > maintainer and kyle evans, if anyone else could comment/review this patch : > https://reviews.freebsd.org/D26782 > > What has been done is the following : > > Raw socket access is allowed for ICMP protocol as is required by > PING(8) but option IP_HDRINCL is not allowed. to accomplish this > a new privilege PRIV_NETINET_ICMP_ACCESS has been added by default for > jails. > > > Bests > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > Thanks for the heads-up Carlos. I have a use for allowing only icmp traffic, so its beneficial.
However I do agree with BZ that it should not be enabled by default, as it weakens the security model, enabling a broken jail to more easily enumerate the wider network environment. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
