securelevel in VNET jails using ipfw(8)
Ian Smith
smithi at nimnet.asn.au
Sun Jul 13 06:26:25 UTC 2014
On Sun, 13 Jul 2014 07:42:42 +1200, Peter Toth wrote:
> Hi Ian,
>
> This is for the jail's securelevel option. If you set it to the highest
> number 3 it will fail to load IPFW rules in a jail during startup.
>
> Snip from "man securelevel":
> Network secure mode - same as highly secure mode, plus IP packet
> filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
> changed and dummynet(4) or pf(4) configuration cannot be adjusted.
>
> Cheers,
> Peter
I understood why 3 wouldn't work. What I hadn't realised was that you
were defaulting iocage jails to securelevel 3, which just shows that I
hadn't read the manual :)
ezjail has tests for securelevel > 0 re installing or updating, but I
assumed that to refer to the host's securelevel.
Thanks, Ian
> On Sun, Jul 13, 2014 at 4:08 AM, Ian Smith <smithi at nimnet.asn.au> wrote:
>
> > Hi Peter,
> >
> > from your FAQ at http://iocage.readthedocs.org/en/latest/faq.html
> >
> > "If you plan on using IPFW inside a jail make sure securelevel is set to 2"
> >
> > Unless this is also a FAQ you can point me to, can you explain why this
> > is needed? Reading security(7) leaves me unclear on how securelevels
> > apply in a jail, or what it may be about ipfw(8) particularly that could
> > compromise jail (or host?) security, that other services could not?
> >
> > cheers, Ian
More information about the freebsd-jail
mailing list