From: Cathy Sarisky (cathy_at_acornhosting.net)
Date: Mon 04 Nov 2002 - 23:49:12 GMT
Ah, actually, I think that clarifies the misunderstanding.
You typically do NOT run services listening to 0.0.0.0 in the main server, or else it grabs all the IPs assigned to the vserver. You can edit the config files for sshd on the root to only listen to the root server's address, or see v_sshd for one that binds just one IP for you.
Services listening to all IPs (0.0.0.0) on the main server are generally a problem. The main server and services start before the vservers start, so they grab the ports, leaving nothing available for the vserver to use.
---------- Original Message ----------------------------------
From: Gerrit Hoetzel <gt_at_hzhome.mine.nu>
Date: Mon, 4 Nov 2002 21:19:06 +0000
>On Mon, Nov 04, 2002 at 03:14:46PM -0500
>Jacques Gelinas <jack_at_solucorp.qc.ca> wrote:
>> On Sat, 2 Nov 2002 18:42:20 -0500, Gerrit Hoetzel wrote
>> > How do you ensure that a vserver cannot establish a connection to a
>> > program listening to 0.0.0.0 on the root system without denying loopback
>> > capabilities for the vserver on its own IP ?
>> A vserver is forced to use its own private IP. So you can use firewalling
>> to control that. You are sure of the "from" part of the rule.
>I think you're missing the point!
>Suppose you have sshd running in the root-box
>and you have a vserver with IPROOT=192.168.1.10.
>And you have the following firewall rule:
> 192.168.1.10 is just allowed to connect to 192.168.1.10; anything
> else is denied (you meant that with firewalling rules - right?)
>Well, connections to 192.168.1.10:22 from within the vserver connects you
>to sshd (using the loopback device).
>There is just one loopback device. Regardless of which IP you use to
>connect to it you will have access to all programs listening to the
>dst-IP (and 0.0.0.0 listens to everything which reaches the device).
>At least that's what I have observed.
>So how do you make sure that a vserver cannot connect to a
>0.0.0.0-listening program in the root box ?
Sent via the WebMail system at webmail.pioneernet.net