By default FreeBSD does not allows prison users / apps to create raw sockets. This is a security feature. With raw sockets one can use perl / python or tools such as nc to create raw socket and launch attacks. However, this aspects of the jail environment may be modified from the host environment using sysctl command.
security.jail.allow_raw_sockets MIB entry determines whether or not prison root is allowed to create raw sockets. Setting this MIB to 1 allows utilities like ping and traceroute to operate inside the prison. Type the following command:
# sysctl security.jail.allow_raw_sockets=1Now login to jail using jexec:
host # jexec 1 csh
jail# ping cyberciti.bizAdd following line to sysctl.conf:
# echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.confA note about MIB
This is optional configuration. Above MIB variable affect all jails on the system. In other words, all jails will be able to use ping and traceroute command. You can deny or allow access to certain jails using host firewall such as PF. Here is a sample PF firewall:# interface
int_if="em0"
ext_if="em1"
# ICMP types
icmp_types = "{ echoreq, unreach }"
# Allowed ips for traceroute
troute_outbound_ips = "{ 10.24.55.101, 10.24.55.103, 10.24.55.111 }"
# Allowed ips for ping
ping_outbound_ips = "{ 10.24.55.103, 10.24.55.111 }"
# Some defaults
set block-policy return
set loginterface $ext_if
scrub in all
# Drop ALL - drop incoming and everything else
block log all
# skip loopback and vpn interface
set skip on {lo0, $int_if}
block in quick from urpf-failed
antispoof log for $ext_if
## your other rules STARTS ###
## add your other pf rules to open port and other stuff
# ...
# ...
## your other rules ENDS ###
### Allow ping and trace route from selected jails ###
pass out on $ext_if inet proto udp from $troute_outbound_ips to any port 33433 >< 33626 keep state
### Allow ping pong from selected jails ###
pass out on $ext_if inet proto icmp from $ping_outbound_ips to any icmp-type $icmp_types keep state
No comments:
Post a Comment