[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] [PATCH] "Locally configured IP" check in ezjail-admin is not 100% reliable



On 14.01.12 23:44, Dewayne Geraghty wrote:

[Replying to a private message to the list, I hope that's okay]

tl;dr: From FreeBSD 9.0 nc successfully binds on ip addresses that are
not locally configured using the IP_BINDANY option. This is to allow
transparent proxying.

> After inspecting http://svnweb.freebsd.org/base/stable/9/usr.bin/nc/Makefile?view=log I'm unable to explain why the nc test
> always succeeds.  nc is able to send and receive between hosts so it is "working".  The test performs as expected on an older
> FreeBSD

Looks like this commit

http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/netcat/netcat.c.diff?r1=1.8;r2=1.9;f=h

in function remote_connect(), new lines 557-560 allow the socket to:

If the IP_BINDANY option is enabled on a SOCK_STREAM, SOCK_DGRAM or a
SOCK_RAW socket, one can bind(2) to any address, even one not bound to
any available network interface in the system.  This functionality (in
conjunction with special firewall rules) can be used for implementing a
transparent proxy. The PRIV_NETINET_BINDANY privilege is needed to set
this option.

http://www.freebsd.org/cgi/man.cgi?query=ip&apropos=0&sektion=0&manpath=FreeBSD+9.0-RELEASE&arch=default&format=html

As the source shows, this flag is not configurable. So I guess it was a
nice idea that was killed a while ago without us noticing it's dead
already :(

  erdgeist