In message <20040420015638.A84821@staff.seccuris.com>, "Christian S.J. Peron" w rites: > > Although RAW sockets can be used when specifying the source > address of packets (defeating one of the aspects of the jail) > some people may find it usefull to use utilities like ping(8) > or traceroute(8) from inside jails. > > Enclosed is a patch I have written which gives you the option > of allowing prison-root to create raw sockets inside the prison, > so that programs various network debugging programs like ping > and traceroute etc can be used. > > This patch will create the security.jail.allow_raw_sockets sysctl > MIB. I would appriciate any feed-back from testers > > See PR #: > http://www.freebsd.org/cgi/query-pr.cgi?pr=65800 Could you take a peek and see how hard it would be to enforce source-IP compliance with the jail restriction ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"