[rsbac] JAIL and outgoing tcp connections

Joachim Ring jring at web.de
Mon Dec 1 22:08:55 CET 2003 

On Sun, Nov 30, 2003 at 20:05:20 +0100, Amon Ott wrote:
> Yes, I know it can take some time.

but i keep learning all the time - RSBAC with all its models has so many
ways to reach a given goal, with bell-la padula we considered ourselves
lucky if we found one...
  
> > i was in the process of jailing an apache when i remembered that i
> > wanted this as a reverse proxy and shure enough, all attempts to proxy a
> > request were killed with a CONNECT forbidden by JAIL...
> 
> Your apache seems to connect from a not allowed IP address. Do you use 
> auto-adjust?

not really shure what you mean with auto-adjust, is this mentioned in
the text from rsbac_jail -? this is about everything i have on JAIL...

anyways, here's the line i start my apache with:

/usr/bin/rsbac_jail -loi /opt/www 192.168.1.10 $HTTPD -d
/servers/instancename -f conf/httpd.conf -k start -DSSL

> Just to be sure, please send us the command line you use to jail-start apache 
> and the log entry, when CONNECT is denied.

Mon Dec  1 09:48:58 2003 :<6>0000000377|rsbac_adf_request(): request
CONNECT, pid 18340, ppid 16764, prog_name httpd, uid 65532, target_type
NETOBJ, tid f35cdcd0 INET STREAM proto TCP local 0.0.0.0:0 remote
192.168.1.20:80, attr , value 0, result NOT_GRANTED by JAIL

so apache uses INADDR_ANY as source addr and doesn't care about the
source port either, which makes JAIL barf as 0.0.0.0 doesn't equal
192.168.1.10. it shure enough works when i start the jail with 0.0.0.0
as jail ip (which is ok in my case as the apache is listening on some
port on the localhost) - the question remains whether the JAIL module is
really interpreting this as INADDR_ANY (the wildcard) in the case of 
converting listen addresses and so allows a process to listen to any ip
regardles of JAIL - i haven't tried it.

also shouldn't JAIL convert INADDR_ANY as src addr of the outgoing 
connection to the jail ip too?
  
> If JAILs are not sufficient, you can always build your cage by hand, e.g. 
> using the RC module. It is much more work, but it gives you full choice.

i think i'm not really keen on building the jail via RC, especially as
i'm not yet really into the NETOBJ stuff. implementing a
write-protection for just about anything and non-execute for the rest
was hard enough, as was creating a new role in order to be able to
admin this mess without softmode again ;-)

i think i'll just use iptables (or what's the linux kernel firewall
called today? ;-) to make shure that nobody opens connections from the
outside interface and only to trusted hosts on the inside...

joachim

More information about the rsbac mailing list