cdcc RTTs in FreeBSD Jails

Vernon Schryver vjs@calcite.rhyolite.com
Tue Jun 1 18:20:00 UTC 2004


> From: Andy Hilker 

> I could make (nearly) every server working by putting it on top of
> map.txt. But only the first entry in map.txt generates a udp packet
> (and gets a reply).
>
> Any other idea or hint, what i could try?

Consider the situation.  You make a change outside the DCC code and
something stops working.  Where is the best place to look for the
cause of the problem, in the DCC code or in the outside change?


> 212.203.14.116,-            anon
> # * 212.203.14.116,-                                        EATSERVER ID 1166
> #     100% of  3 requests ok   61.08 ms RTT             43 ms queue wait
>
> 153.19.44.252,-             anon
> #   153.19.44.252,-                                 
> #      not answering
>
> 136.199.8.61,-              anon
> #   136.199.8.61,-                                  
> #      not answering

Do you have a firewall of some sort somehow associated with this "jail"
that allows only one (synthetic) UDP/IP "session" at a time?  That
would explain what you are seeing.  The FreeBSD "jail" man pages talk
about IP addresses, so it seems plausible that some kind of packet
filtering or firewalling is involved.

http://www.google.com/search?q=jail%20freebsd%20firewall
find problems that look similar to yours.

Judging from
http://docs.freebsd.org/44doc/papers/jail/jail.html
http://docs.freebsd.org/44doc/papers/jail/jail-4.html#section4
http://docs.freebsd.org/44doc/papers/jail/jail-5.html#section5
I suspect you have found bugs in FreeBSD jail code.


A lot of stuff sold as "security" is snake oil.  Many other security
mechanisms are not worthwhile.  Good security does not involve doing
whatever can be done, but consists of measured responses against
coherent and specific threat models.  What threat model requires
running your MTA inside a jail?


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.