From: Gerrit Hoetzel (gt_at_hzhome.mine.nu)
Date: Mon 04 Nov 2002 - 21:19:06 GMT
On Mon, Nov 04, 2002 at 03:14:46PM -0500
Jacques Gelinas <jack_at_solucorp.qc.ca> wrote:
> On Sat, 2 Nov 2002 18:42:20 -0500, Gerrit Hoetzel wrote
> > How do you ensure that a vserver cannot establish a connection to a
> > program listening to 0.0.0.0 on the root system without denying loopback
> > capabilities for the vserver on its own IP ?
> A vserver is forced to use its own private IP. So you can use firewalling
> to control that. You are sure of the "from" part of the rule.
I think you're missing the point!
Suppose you have sshd running in the root-box
and you have a vserver with IPROOT=192.168.1.10.
And you have the following firewall rule:
192.168.1.10 is just allowed to connect to 192.168.1.10; anything
else is denied (you meant that with firewalling rules - right?)
Well, connections to 192.168.1.10:22 from within the vserver connects you
to sshd (using the loopback device).
There is just one loopback device. Regardless of which IP you use to
connect to it you will have access to all programs listening to the
dst-IP (and 0.0.0.0 listens to everything which reaches the device).
At least that's what I have observed.
So how do you make sure that a vserver cannot connect to a
0.0.0.0-listening program in the root box ?
-- Gerrit Hoetzel http://www.hzhome.mine.nu