In message <[email protected]>, "Christian S.J. Peron" w rites: > > Although RAW sockets can be used when specifying the source > address of packets (defeating one of the aspects of the jail) > some people may find it usefull to use utilities like ping(8) > or traceroute(8) from inside jails. > > Enclosed is a patch I have written which gives you the option > of allowing prison-root to create raw sockets inside the prison, > so that programs various network debugging programs like ping > and traceroute etc can be used. > > This patch will create the security.jail.allow_raw_sockets sysctl > MIB. I would appriciate any feed-back from testers > > See PR #: > http://www.freebsd.org/cgi/query-pr.cgi?pr=65800 Could you take a peek and see how hard it would be to enforce source-IP compliance with the jail restriction ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [email protected] | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"