Issue
The proxy currently binds to 0.0.0.0 (all interfaces) when running in strong jail mode to be accessible from the veth interface. This potentially exposes the proxy ports to external networks, which is a security concern.
Current Behavior
In src/main.rs, the proxy binding is determined as:
let bind_address = if args.weak || args.server {
None // defaults to 127.0.0.1
} else {
Some([0, 0, 0, 0]) // bind to all interfaces for strong jail
};
Desired Behavior
The proxy should bind only to the specific veth host IP address (e.g., 10.99.X.1) that is computed during jail setup. This would ensure the proxy is only accessible from within the jail's network namespace and not from external interfaces.
Implementation Notes
- The jail computes a unique subnet for each jail (e.g.,
10.99.36.0/30)
- The host side of the veth pair gets
.1 (e.g., 10.99.36.1)
- This IP is stored in
LinuxJail.host_ip
- Need to pass this IP from the jail setup to the proxy initialization
- The proxy should bind specifically to this IP instead of
0.0.0.0
Security Impact
- Current: Proxy ports are exposed on all network interfaces
- Proposed: Proxy ports only accessible from the jail's veth interface
This change would significantly reduce the attack surface by ensuring the proxy is not accidentally exposed to external networks.
Issue
The proxy currently binds to
0.0.0.0(all interfaces) when running in strong jail mode to be accessible from the veth interface. This potentially exposes the proxy ports to external networks, which is a security concern.Current Behavior
In
src/main.rs, the proxy binding is determined as:Desired Behavior
The proxy should bind only to the specific veth host IP address (e.g.,
10.99.X.1) that is computed during jail setup. This would ensure the proxy is only accessible from within the jail's network namespace and not from external interfaces.Implementation Notes
10.99.36.0/30).1(e.g.,10.99.36.1)LinuxJail.host_ip0.0.0.0Security Impact
This change would significantly reduce the attack surface by ensuring the proxy is not accidentally exposed to external networks.