Re: Closing information leaks in jails?

On Thu, Aug 18, 2005 at 10:44:42PM +0000, Nate Nielsen wrote:

> netstat works, but it limits itself to the jail pretty well. In
> particular 'netstat -r' and friends  don't work. The normal 'netstat -a'
> only shows connections to the current jail. It does show the output from
> 'netstat -m' and those sort of things, but those say nothing over the
> network load of the current machine.

One can use bmon application in jail to graph network activity in real time,
for example:

% sysctl -a | grep jail
security.jail.set_hostname_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.sysvipc_allowed: 0
security.jail.getfsstatroot_only: 1
security.jail.allow_raw_sockets: 0
security.jail.chflags_allowed: 0
security.jail.jailed: 1
% id
uid=11226(pawmal) gid=10999(pawmal) groups=10999(pawmal)
% bmon
  #   Interface                RX Rate         RX #     TX Rate         TX #
.....................................................................................
xxx (source: local)
  0   fxp0                       1.29KiB         23      32.51KiB         34
  1   lo0                      442.00B            2     442.00B            2
  2   vlan3                    660.00B           11      32.40KiB         27
  3   vlan4                    419.00B            5       0.00B            0
  4   vlan6                      0.00B            0       0.00B            0
  5   vlan9                      0.00B            0       0.00B            0

-- 
Pawe댠Ma豉chowski
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"