[lxc-users] lxc-security: iptables audit with nflog not working with default settings (insecure)
Fajar A. Nugraha
list at fajar.net
Wed Mar 11 15:43:59 UTC 2015
On Wed, Mar 11, 2015 at 8:03 PM, Fiedler Roman <Roman.Fiedler at ait.ac.at> wrote:
> But the current issue is different: The guest can snoop on the NFLOG messages
> generated on host and destined for the host and hence can get knowledge of ANY
> NFLOGed connection of host or any guest, no matter if on same bridge or
> another one.
Ah, sorry I misunderstood your problem.
All I can say is that it works for me on my simple test. I have ulogd2
on both host and guest, and if you look at my iptables command on the
host and guest, they are almost identical (including nflog group)
except for chain names (forward/input/output). The logged packets are
from the correct one (the one inside the container has in/out=eth0,
while the one on the host has in/out=br0).
That was on Ubuntu 14.10 (kernel 3.16) with lxc-1.1 from daily ppa, so
you might want to try that before filing a bug report to ubuntu.
--
Fajar
More information about the lxc-users
mailing list