Bug 210049

The undocumented behavior of non-vimage jails populated with an port or pkg that defaults to communicating over the lo0 127.0.0.1 loopback interface is to simply map it over with the jails defined primary IP address. This default jail behavior exposes that port/pkg to all the traffic entering the jail over its primary IP address whether from the LAN or public network. This is a security issue. 

This is not the behavior of 127.0.0.1 as defined in [RFC1700, page 5] which states  "127.0.0.0/8 - This block is assigned for use as the Internet host   loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host."  In a jails case the word "host" would also mean "jail".

The administrators of such jails have to manually activate loopback by adding lo0:127.0.0.x to the jails ip4_addr parameter value alone with the jails primary IP address. Then manually change the conf file of all the applications running in that jail to use that lo0 127.0.0.x IP address. Or an alternate is to add a statement to the hosts rc.conf to clone the lo0 interface and them
code as above. This means each jail has a unique loopback ip address. 

This manual work around is not documented and should not be necessary. The non-vimage jail should just handle loopback localhost by default. The kernel lo0 interface needs to be made jail aware.

This issue has been recently discussed with James Gritton jamie@freebsd.org and he agrees its time to address this long outstanding security issue.