vnet jail and ipfw/nat on host - keep-state problem?

Fbsd8 fbsd8 at a1poweruser.com
Fri Jul 11 13:33:32 UTC 2014 

Peter Toth wrote:
> Have not used natd with IPFW much as always preferred PF to do everything
> on the host.
> 
> I have only a wild guess - the "me" keyword in IPFW is substituted only to
> the host's IPs known to itself.
> The host's IPFW firewall most likely doesn't know anything about IPs
> assigned to vnet interfaces inside the jail.
> 
> Vnet jails behave more like separate physical hosts.
> 
> Internet ---> [host] ------- (10.0.10.0 LAN) ------> [vnet jail]
> 
> The PF issue inside a jail is a separate problem, PF is not fully
> VIMAGE/VNET aware as far as I know.
> 
> Can someone comment on these or correct me?
> 
> P
> 
> 
> 
> On Fri, Jul 11, 2014 at 7:11 PM, Peter Ross <Peter.Ross at alumni.tu-berlin.de>
> wrote:
> 
>> On Thu, 10 Jul 2014, Peter Toth wrote:
>>
>>  Hi Peter,
>>> Try to make these changes:
>>>
>>> net.inet.ip.forwarding=1       # Enable IP forwarding between interfaces
>>> net.link.bridge.pfil_onlyip=0  # Only pass IP packets when pfil is enabled
>>> net.link.bridge.pfil_bridge=0  # Packet filter on the bridge interface
>>> net.link.bridge.pfil_member=0  # Packet filter on the member interface
>>>
>>> You can find some info
>>> here http://iocage.readthedocs.org/en/latest/help-no-internet.html
>>>
>>> I've had these issues before with PF and IPFW, by default these will be
>>> filtering on your bridge and member interfaces.
>>>
>> Thanks. It did not change anything.
>>
>> Now, inside_ the jail I run "ipfw allow ip from any to any".
>>
>> This on the host system:
>>
>> 01000 check-state
>> 01100 allow tcp from any to any established
>> 01200 allow ip from any to any frag
>> 00100 divert 8668 ip4 from any to any via age0
>> 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state
>> 03200 allow udp from any to me dst-port 53 keep-state
>>
>> (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53")
>>
>> If I add
>>
>> 03300 allow udp from me 53 to any
>>
>> it works..
>>
>> So it makes me think check-state isn't usable - because
>>
>> 03200 allow udp from any to me dst-port 53 keep-state
>>
>> should cover the returning packets.
>>
>> I played with your parameters but it did not help. But thanks for the idea.
>>
>> Here again the setup:
>>
>> Internet->age0(host interface with natd and external IP)
>> ->bridge10(10.0.10.254)->epair1a
>> ->epair1b(10.0.10.1 in bind vnet jail)
>>
>> I wonder what kind of restrictions exist with vnet.. it does not seem to
>> work _exactly_ as a "real" network stack (the issues with pf inside the
>> jail let me think of it too)
>>
>> Did I find a restriction, a bug - or just that I've got it wrong?
>>
>> Regards
>> Peter

Any firewall function that runs in the kernel will not function inside 
of a vnet/vimage jail.

More information about the freebsd-jail mailing list