Re: Jails and Hardware security

2010-02-02 Thread C. C. Tang 
I think you may write your only rule set for that jail in 
/etc/devfs.rules and specify it by using the line:


jail_(jailname)_devfs_ruleset=(rule_name)

in /etc/rc.conf

Or corresponding line in /usr/local/etc/ezjail/(jailname) if you are 
using ezjail.


Regards,
C.C.

On 1/31/2010 6:27 AM, Jay Hall wrote:

Is it possible to limit what hardware a jail has access to?  I am
wanting to limit access to the tape drive/autoloader in one jail, but
allow another to have access to it.

Is this as simple as deleting the appropriate entries in /dev?

Thanks,

Jay
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr...@freebsd.org


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Recommendations for NICs?

2010-01-21 Thread C. C. Tang 

Let me add my vote for Intel: I have a dual-port Pro/1000, and
the thing is a rock:


I am planning to get a Pro/1000 MT dual port card, do you know that will 
it works well in 32bit PCI slot on FreeBSD?


Thanks,
C.C.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

pf + jail question.

2010-01-19 Thread C. C. Tang 

Hi all,

May be this question is better to post on -pf or -jail but I really 
don't know where the problem is. So post here first.


I have a FreeBSD-8.0-RELEASE-p2 box with two NICs acting as gateway 
using pf (with ftp-proxy enabled) in my home network configured as follow:


LAN: 10.7.13.0/24 ( + tap0 10.7.14.0/24 for VPN)
WAN: IP obtained from ISP.
gateway: 10.7.13.254

When I played with jail, I found that fp didn't block the traffic that 
it should.

For example,
I have the following line in pf.conf:
block quick proto tcp from any to any port 21

Then in the host(gateway):
[host] ~ ftp ftp.mozilla.org
ftp: connect: Operation not permitted

In the jail:
[jail1] ~ ftp ftp.mozilla.org
Connected to dm-ftp01.mozilla.org.
...(welcome message)

Other client on the LAN(Windows):
C:\Users\test-userftp ftp.mozilla.org
Connected to dm-ftp01.mozilla.org.
Connection closed by remote host.

The ftp-proxy log when windows client is connecting:
#5 accepted connection from 10.7.13.1
#5 proxy cannot connect to server 63.245.208.138: Operation not permitted
#5 ending session

My jail's IP 10.7.13.99 which is within the subnet of LAN.

Do anyone know where the problem is?
It seems that the traffic from jail bypasses the pf filtering rules?

The following is part of my pf.conf:
===
ext_if=wan0
int_if={ lan0 }
self=10.7.13.254
internal_net={ 10.7.13.0/24, 10.7.14.0/24 }

scrub in
nat pass on $ext_if from $internal_net to any - ($ext_if) static-port

# handling FTP
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*


no rdr on $int_if proto tcp from $internal_net to $self port 21
rdr pass on $int_if proto tcp from $internal_net to any port 21 - \
  127.0.0.1 port 8021

anchor ftp-proxy/*
block quick proto tcp from any to any port 21


Thanks,
C.C.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

pf + jail question.

2010-01-19 Thread C. C. Tang 

Hi all,

May be this question is better to post on -pf or -jail but I really
don't know where the problem is. So post here first.

I have a FreeBSD-8.0-RELEASE-p2 box with two NICs acting as gateway
using pf (with ftp-proxy enabled) in my home network configured as follow:

LAN: 10.7.13.0/24 ( + tap0 10.7.14.0/24 for VPN)
WAN: IP obtained from ISP.
gateway: 10.7.13.254

When I played with jail, I found that fp didn't block the traffic that
it should.
For example,
I have the following line in pf.conf:
block quick proto tcp from any to any port 21

Then in the host(gateway):
[host] ~ ftp ftp.mozilla.org
ftp: connect: Operation not permitted

In the jail:
[jail1] ~ ftp ftp.mozilla.org
Connected to dm-ftp01.mozilla.org.
...(welcome message)

Other client on the LAN(Windows):
C:\Users\test-userftp ftp.mozilla.org
Connected to dm-ftp01.mozilla.org.
Connection closed by remote host.

The ftp-proxy log when windows client is connecting:
#5 accepted connection from 10.7.13.1
#5 proxy cannot connect to server 63.245.208.138: Operation not permitted
#5 ending session

My jail's IP 10.7.13.99 which is within the subnet of LAN.

Do anyone know where the problem is?
It seems that the traffic from jail bypasses the pf filtering rules?

The following is part of my pf.conf:
===
ext_if=wan0
int_if={ lan0 }
self=10.7.13.254
internal_net={ 10.7.13.0/24, 10.7.14.0/24 }

scrub in
nat pass on $ext_if from $internal_net to any - ($ext_if) static-port

# handling FTP
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*


no rdr on $int_if proto tcp from $internal_net to $self port 21
rdr pass on $int_if proto tcp from $internal_net to any port 21 - \
  127.0.0.1 port 8021

anchor ftp-proxy/*
block quick proto tcp from any to any port 21


Thanks,
C.C.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org