vnet jail and ipfw/nat on host - keep-state problem?
Peter Toth
peter.toth198 at gmail.com
Fri Jul 11 20:21:42 UTC 2014
This sounds a bit vague, can you please explain in more detail what you
meant by this?
IPFW works inside a vnet jail - You can manage per jail firewall instances
without any issues.
The only firewall which cannot function inside a jail (yet) is PF.
P
On Sat, Jul 12, 2014 at 1:33 AM, Fbsd8 <fbsd8 at a1poweruser.com> wrote:
> Peter Toth wrote:
>
>> Have not used natd with IPFW much as always preferred PF to do everything
>> on the host.
>>
>> I have only a wild guess - the "me" keyword in IPFW is substituted only to
>> the host's IPs known to itself.
>> The host's IPFW firewall most likely doesn't know anything about IPs
>> assigned to vnet interfaces inside the jail.
>>
>> Vnet jails behave more like separate physical hosts.
>>
>> Internet ---> [host] ------- (10.0.10.0 LAN) ------> [vnet jail]
>>
>> The PF issue inside a jail is a separate problem, PF is not fully
>> VIMAGE/VNET aware as far as I know.
>>
>> Can someone comment on these or correct me?
>>
>> P
>>
>>
>>
>> On Fri, Jul 11, 2014 at 7:11 PM, Peter Ross <Peter.Ross at alumni.tu-berlin.
>> de>
>> wrote:
>>
>> On Thu, 10 Jul 2014, Peter Toth wrote:
>>>
>>> Hi Peter,
>>>
>>>> Try to make these changes:
>>>>
>>>> net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces
>>>> net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is
>>>> enabled
>>>> net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface
>>>> net.link.bridge.pfil_member=0 # Packet filter on the member interface
>>>>
>>>> You can find some info
>>>> here http://iocage.readthedocs.org/en/latest/help-no-internet.html
>>>>
>>>> I've had these issues before with PF and IPFW, by default these will be
>>>> filtering on your bridge and member interfaces.
>>>>
>>>> Thanks. It did not change anything.
>>>
>>> Now, inside_ the jail I run "ipfw allow ip from any to any".
>>>
>>> This on the host system:
>>>
>>> 01000 check-state
>>> 01100 allow tcp from any to any established
>>> 01200 allow ip from any to any frag
>>> 00100 divert 8668 ip4 from any to any via age0
>>> 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state
>>> 03200 allow udp from any to me dst-port 53 keep-state
>>>
>>> (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53")
>>>
>>> If I add
>>>
>>> 03300 allow udp from me 53 to any
>>>
>>> it works..
>>>
>>> So it makes me think check-state isn't usable - because
>>>
>>> 03200 allow udp from any to me dst-port 53 keep-state
>>>
>>> should cover the returning packets.
>>>
>>> I played with your parameters but it did not help. But thanks for the
>>> idea.
>>>
>>> Here again the setup:
>>>
>>> Internet->age0(host interface with natd and external IP)
>>> ->bridge10(10.0.10.254)->epair1a
>>> ->epair1b(10.0.10.1 in bind vnet jail)
>>>
>>> I wonder what kind of restrictions exist with vnet.. it does not seem to
>>> work _exactly_ as a "real" network stack (the issues with pf inside the
>>> jail let me think of it too)
>>>
>>> Did I find a restriction, a bug - or just that I've got it wrong?
>>>
>>> Regards
>>> Peter
>>>
>>
> Any firewall function that runs in the kernel will not function inside of
> a vnet/vimage jail.
>
>
>
>
More information about the freebsd-jail
mailing list