From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sat 12 Mar 2005 - 19:52:06 GMT
On Sat, Mar 12, 2005 at 04:20:01PM +0000, Martin List-Petersen wrote:
> today we experienced a nice feature: it seems that ICMP not is bound by
> the context.
> When initiating a tcp connect from a vserver, it will come from the
> correct ip (the one, that has been assigned to the vserver).
> When pinging from a shell session of the vserver, it will use the ip
> address of the host, not the vserver.
pinging 'from a shell session of the vserver' is not
possible with 1.2.x, unless you give CAP_NET_RAW (which
is unfortunately a default in debian, and was reported
as bug more than 250 days ago, status wontfix ;), which
allows much more than this (i.e. is insecure by default)
- sniffing on the interface for _all_ traffic
- generating arbitrary packets (with arbitrary
ips or mac addresses, and data)
> Can anybody confirm this ?
well, it doesn't really matter which ip is used, you can
always specify it with -I option ...
> This is so far been seen with 2.4.29-vs1.2.10
> Slán leat,
> Martin List-Petersen
> Dublin, Eire
> (contact info on --> http://www.marlow.dk/)
> Vserver mailing list
Vserver mailing list