IPFW2 logging inside VIMAGE Jails?

[Ernie Luzar]

Kai Gallasch wrote:
> Hi.
> 
> Is it possible at all to log actions of IPFW
> firewall inside a running vnet/VIMAGE jail to the vnet/VIMAGE jail's syslog?

NO. Not at this time.

> 
> I'm asking, because I see no firewall log entries inside the jail's
> /var/log/security log.
> 
> What I find is, that log messages of jails with active IPFW rules are
> only logged on the jailhost (/var/log/security) - out of reach of any
> local jail admins..
>  
> My kernel is built without firewall support. The ipfw.ko is loaded
> dynamically when the server starts. No PF firewall is in use.

Compiling IPFW into the hosts kernel makes no difference either.

> 
> - FreeBSD 10.1-RELEASE-p9
> - /dev/bpf available inside jails
> - firewall logging enabled on the jailhost and also inside the jail
> 
> I found https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=178482 (2
> years old, FreeBSD 9.1 related)
> 
> Cheers,
> Kai.
> 
> 

As PR# 178482 shows this bug has not been addressed in over 2 years and 
your recent testing shows this bug is still present in the current 
production RELEASE 10.1 of FreeBSD.

In a nut shell, VIMAGE is experimental, IPFW was only made vimage aware 
enough so it would not cause the host to abend. IPFW and vimage still 
don't integrate correctly.

The fact that IPFW can run on a host kernel with vimage compiled in and 
also in a vnet jail at the same time with out blowing up DOESN'T mean 
that IPFW is really functioning correctly in a vnet jail. The fact that 
vnet/jail IPFW log messages are being written to the host's IPFW log 
message file strongly indicates IPFW in a vnet jail is insecure and 
violates the whole purpose of jail security. To me this is a major show 
stopper to using vnet/vimage jails at all.

Adding a comment to PR# 178482 saying this reported problem is still 
present in RELEASE 10.1 is about all you can do, next to you finding and 
correcting the bug in IPFW/vimage yourself. Good luck with that.