[rsbac] JAIL and outgoing tcp connections

Amon Ott ao at rsbac.org
Sun Nov 30 20:05:20 CET 2003


On Sonntag, 30. November 2003 19:31, Joachim Ring wrote:
> during the past few weeks i've been playing around with rsbac and as of
> now the system starts to get usable again even with rsbac ;-)

Yes, I know it can take some time.
 
> i was in the process of jailing an apache when i remembered that i
> wanted this as a reverse proxy and shure enough, all attempts to proxy a
> request were killed with a CONNECT forbidden by JAIL...

Your apache seems to connect from a not allowed IP address. Do you use 
auto-adjust?

Just to be sure, please send us the command line you use to jail-start apache 
and the log entry, when CONNECT is denied.
 
> i understand that this is as advertised in the docs but i was asking
> myself wether i was overseeing some possibility to allow connections to
> a few trusted hosts with the netrules (which i frankly haven't really 
> grasped yet).

Only auto-adjust comes to my mind here, but s.a.
 
> also other ideas (besides plain chroot, what it's now) are welcome.

If JAILs are not sufficient, you can always build your cage by hand, e.g. 
using the RC module. It is much more work, but it gives you full choice.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22



More information about the rsbac mailing list