From andrew@mowgli.rinet.ru  Sat Jan 17 08:52:21 2004
Return-Path: <andrew@mowgli.rinet.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3398816A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 17 Jan 2004 08:52:21 -0800 (PST)
Received: from mowgli.rinet.ru (mowgli.rinet.ru [195.54.192.81])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 43CE143D49
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 17 Jan 2004 08:52:20 -0800 (PST)
	(envelope-from andrew@mowgli.rinet.ru)
Received: by mowgli.rinet.ru (Mail Transport Agent, from userid 290)
	id 4D2C9459; Sat, 17 Jan 2004 19:52:18 +0300 (MSK)
Message-Id: <20040117165218.4D2C9459@mowgli.rinet.ru>
Date: Sat, 17 Jan 2004 19:52:18 +0300 (MSK)
From: Andrew Kolchoogin <andrew@rinet.ru>
Reply-To: Andrew Kolchoogin <andrew@rinet.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Jail security is not honored using IP Filter
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         61483
>Category:       kern
>Synopsis:       [jail] Jail security is not honored using IP Filter
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 17 09:00:29 PST 2004
>Closed-Date:    Sun Jul 10 15:39:52 GMT 2005
>Last-Modified:  Sun Jul 10 15:40:16 GMT 2005
>Originator:     Andrew Kolchoogin
>Release:        FreeBSD 4.9-RELEASE-p1 i386
>Organization:
Cronyx Plus LLC
>Environment:
System: FreeBSD mowgli.rinet.ru 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #3: Fri Dec 19 19:18:12 MSK 2003 andrew@mowgli.rinet.ru:/usr/src/sys/compile/UNIX i386

>Description:
    Although there is no ability to see IP firewall rules set up using
FreeBSD 'standard' ipfw package, alternate firewall toolkit -- ipf -- doesn't
honor jail security: ipfstat -io/ipnat -l works fine even inside jail.

>How-To-Repeat:
    1) Set up any jail:

        mkdir /usr/jail
        cd /usr/src
        make buildworld
        make DESTDIR=/usr/jail installworld
        cd etc
        make DESTDIR=/usr/jail distribution
    2) Run shell inside jail:

        jail /usr/jail localhost 127.0.0.1 /bin/tcsh

    3) Start 'ipfstat' command:

        ipfstat -io

    And you will see all of your IP filter rules set up outside jail.

>Fix:

>Release-Note:
>Audit-Trail:

From: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
To: Andrew Kolchoogin <andrew@rinet.ru>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/61483: Jail security is not honored using IP Filter
Date: Sat, 17 Jan 2004 18:25:27 +0100

 On Sat, Jan 17, 2004 at 07:52:18PM +0300, Andrew Kolchoogin wrote:
 
 > >How-To-Repeat:
 >     1) Set up any jail:
 > 
 >         mkdir /usr/jail
 >         cd /usr/src
 >         make buildworld
 >         make DESTDIR=/usr/jail installworld
 >         cd etc
 >         make DESTDIR=/usr/jail distribution
 
 Please show /dev content and consult with jail(8).
 
 >     2) Run shell inside jail:
 > 
 >         jail /usr/jail localhost 127.0.0.1 /bin/tcsh
 > 
 >     3) Start 'ipfstat' command:
 > 
 >         ipfstat -io
 > 
 >     And you will see all of your IP filter rules set up outside jail.
 
 
 -- 
 Pawe Maachowski
  
State-Changed-From-To: open->feedback 
State-Changed-By: arved 
State-Changed-When: Mon Aug 30 16:17:02 GMT 2004 
State-Changed-Why:  
Did Pawel's suggestion resolve your problem? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=61483 
State-Changed-From-To: feedback->closed 
State-Changed-By: arved 
State-Changed-When: Sun Jul 10 15:38:45 GMT 2005 
State-Changed-Why:  
Quoting Submitter: 
It was not actually a bug, it was my misunderstanding of manual 
pages. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=61483 

From: Andrew Kolchoogin <andrew@rinet.ru>
To: Tilman Linneweh <arved@freebsd.org>
Cc:  
Subject: Re: kern/61483: Jail security is not honored using IP Filter
Date: Sun, 10 Jul 2005 09:45:41 +0400

 On Mon, Aug 30, 2004 at 04:17:22PM +0000, Tilman Linneweh wrote:
 
 > Synopsis: Jail security is not honored using IP Filter
 > 
 > State-Changed-From-To: open->feedback
 > State-Changed-By: arved
 > State-Changed-When: Mon Aug 30 16:17:02 GMT 2004
 > State-Changed-Why: 
 > Did Pawel's suggestion resolve your problem?
 > 
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=61483
 
     Sure. It was not actually a bug, it was my misunderstanding of manual
 pages.
 -- 
     Yours
         Andrew Kolchoogin.                              [DREW-RIPE, AKOL-RIPN]
 
 GOD#killall -KILL lifed && dd if=/dev/zero of=/dev/world; cd /src/world && make deinstall && make distclean && cat /patches/world0.01-0.59.patch | patch -p0 && make world && make installworld && /etc/rc.d/lifed start
>Unformatted:
