Re: Jails and Hardware security
I think you may write your only rule set for that jail in /etc/devfs.rules and specify it by using the line: jail_(jailname)_devfs_ruleset=(rule_name) in /etc/rc.conf Or corresponding line in /usr/local/etc/ezjail/(jailname) if you are using ezjail. Regards, C.C. On 1/31/2010 6:27 AM, Jay Hall wrote: Is it possible to limit what hardware a jail has access to? I am wanting to limit access to the tape drive/autoloader in one jail, but allow another to have access to it. Is this as simple as deleting the appropriate entries in /dev? Thanks, Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Recommendations for NICs?
Let me add my vote for Intel: I have a dual-port Pro/1000, and the thing is a rock: I am planning to get a Pro/1000 MT dual port card, do you know that will it works well in 32bit PCI slot on FreeBSD? Thanks, C.C. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf + jail question.
Hi all, May be this question is better to post on -pf or -jail but I really don't know where the problem is. So post here first. I have a FreeBSD-8.0-RELEASE-p2 box with two NICs acting as gateway using pf (with ftp-proxy enabled) in my home network configured as follow: LAN: 10.7.13.0/24 ( + tap0 10.7.14.0/24 for VPN) WAN: IP obtained from ISP. gateway: 10.7.13.254 When I played with jail, I found that fp didn't block the traffic that it should. For example, I have the following line in pf.conf: block quick proto tcp from any to any port 21 Then in the host(gateway): [host] ~ ftp ftp.mozilla.org ftp: connect: Operation not permitted In the jail: [jail1] ~ ftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. ...(welcome message) Other client on the LAN(Windows): C:\Users\test-userftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. Connection closed by remote host. The ftp-proxy log when windows client is connecting: #5 accepted connection from 10.7.13.1 #5 proxy cannot connect to server 63.245.208.138: Operation not permitted #5 ending session My jail's IP 10.7.13.99 which is within the subnet of LAN. Do anyone know where the problem is? It seems that the traffic from jail bypasses the pf filtering rules? The following is part of my pf.conf: === ext_if=wan0 int_if={ lan0 } self=10.7.13.254 internal_net={ 10.7.13.0/24, 10.7.14.0/24 } scrub in nat pass on $ext_if from $internal_net to any - ($ext_if) static-port # handling FTP nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* no rdr on $int_if proto tcp from $internal_net to $self port 21 rdr pass on $int_if proto tcp from $internal_net to any port 21 - \ 127.0.0.1 port 8021 anchor ftp-proxy/* block quick proto tcp from any to any port 21 Thanks, C.C. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf + jail question.
Hi all, May be this question is better to post on -pf or -jail but I really don't know where the problem is. So post here first. I have a FreeBSD-8.0-RELEASE-p2 box with two NICs acting as gateway using pf (with ftp-proxy enabled) in my home network configured as follow: LAN: 10.7.13.0/24 ( + tap0 10.7.14.0/24 for VPN) WAN: IP obtained from ISP. gateway: 10.7.13.254 When I played with jail, I found that fp didn't block the traffic that it should. For example, I have the following line in pf.conf: block quick proto tcp from any to any port 21 Then in the host(gateway): [host] ~ ftp ftp.mozilla.org ftp: connect: Operation not permitted In the jail: [jail1] ~ ftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. ...(welcome message) Other client on the LAN(Windows): C:\Users\test-userftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. Connection closed by remote host. The ftp-proxy log when windows client is connecting: #5 accepted connection from 10.7.13.1 #5 proxy cannot connect to server 63.245.208.138: Operation not permitted #5 ending session My jail's IP 10.7.13.99 which is within the subnet of LAN. Do anyone know where the problem is? It seems that the traffic from jail bypasses the pf filtering rules? The following is part of my pf.conf: === ext_if=wan0 int_if={ lan0 } self=10.7.13.254 internal_net={ 10.7.13.0/24, 10.7.14.0/24 } scrub in nat pass on $ext_if from $internal_net to any - ($ext_if) static-port # handling FTP nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* no rdr on $int_if proto tcp from $internal_net to $self port 21 rdr pass on $int_if proto tcp from $internal_net to any port 21 - \ 127.0.0.1 port 8021 anchor ftp-proxy/* block quick proto tcp from any to any port 21 Thanks, C.C. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org