[rsbac] JAIL and outgoing tcp connections

Amon Ott ao at rsbac.org
Tue Dec 2 08:54:44 CET 2003 

On Montag, 1. Dezember 2003 22:08, Joachim Ring wrote:
> On Sun, Nov 30, 2003 at 20:05:20 +0100, Amon Ott wrote:
> > Yes, I know it can take some time.
> 
> but i keep learning all the time - RSBAC with all its models has so many
> ways to reach a given goal, with bell-la padula we considered ourselves
> lucky if we found one...

This is consistent with my MAC experience. :)
   
> > > i was in the process of jailing an apache when i remembered that i
> > > wanted this as a reverse proxy and shure enough, all attempts to proxy a
> > > request were killed with a CONNECT forbidden by JAIL...
> > 
> > Your apache seems to connect from a not allowed IP address. Do you use 
> > auto-adjust?
> 
> not really shure what you mean with auto-adjust, is this mentioned in
> the text from rsbac_jail -? this is about everything i have on JAIL...

auto-adjust is the JAIL feature, which adjusts your IP address automatically. 
It is not on by default, because it changes standard behaviour.
 
> anyways, here's the line i start my apache with:
> 
> /usr/bin/rsbac_jail -loi /opt/www 192.168.1.10 $HTTPD -d
> /servers/instancename -f conf/httpd.conf -k start -DSSL

Add a "-a" to the rsbac_jail options.
 
> > Just to be sure, please send us the command line you use to jail-start 
apache 
> > and the log entry, when CONNECT is denied.
> 
> Mon Dec  1 09:48:58 2003 :<6>0000000377|rsbac_adf_request(): request
> CONNECT, pid 18340, ppid 16764, prog_name httpd, uid 65532, target_type
> NETOBJ, tid f35cdcd0 INET STREAM proto TCP local 0.0.0.0:0 remote
> 192.168.1.20:80, attr , value 0, result NOT_GRANTED by JAIL
> 
> so apache uses INADDR_ANY as source addr and doesn't care about the
> source port either, which makes JAIL barf as 0.0.0.0 doesn't equal
> 192.168.1.10. it shure enough works when i start the jail with 0.0.0.0
> as jail ip (which is ok in my case as the apache is listening on some
> port on the localhost) - the question remains whether the JAIL module is
> really interpreting this as INADDR_ANY (the wildcard) in the case of 
> converting listen addresses and so allows a process to listen to any ip
> regardles of JAIL - i haven't tried it.

This and a smissing -a was my first guess without knowing the details, so I 
asked for both lines.
 
> also shouldn't JAIL convert INADDR_ANY as src addr of the outgoing 
> connection to the jail ip too?

S.a.: Only, if requested in the rsbac_jail call. This is what -a does.
   
> > If JAILs are not sufficient, you can always build your cage by hand, e.g. 
> > using the RC module. It is much more work, but it gives you full choice.
> 
> i think i'm not really keen on building the jail via RC, especially as
> i'm not yet really into the NETOBJ stuff. implementing a
> write-protection for just about anything and non-execute for the rest
> was hard enough, as was creating a new role in order to be able to
> admin this mess without softmode again ;-)

It is a lot of work, but it is worth it. Almost any worm attack will fail with 
your setup, even if there is an exploit in one of your servers.
 
> i think i'll just use iptables (or what's the linux kernel firewall
> called today? ;-) to make shure that nobody opens connections from the
> outside interface and only to trusted hosts on the inside...

The difference is that RSBAC can distinguish between different processes with 
different network rights. But I agree that in many cases this is overkill.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list