IPFW2 logging inside VIMAGE Jails?

wishmaster artemrts at ukr.net
Tue Apr 21 14:02:05 UTC 2015 


 
 --- Original message ---
 From: "Ernie Luzar" <luzar722 at gmail.com>
 Date: 21 April 2015, 15:58:04
  


> Kai Gallasch wrote:
> > Hi.
> > 
> > Is it possible at all to log actions of IPFW
> > firewall inside a running vnet/VIMAGE jail to the vnet/VIMAGE jail's syslog?
> 
> NO. Not at this time.
> 
> > 
> > I'm asking, because I see no firewall log entries inside the jail's
> > /var/log/security log.
> > 
> > What I find is, that log messages of jails with active IPFW rules are
> > only logged on the jailhost (/var/log/security) - out of reach of any
> > local jail admins..
> > 
> > My kernel is built without firewall support. The ipfw.ko is loaded
> > dynamically when the server starts. No PF firewall is in use.
> 
> Compiling IPFW into the hosts kernel makes no difference either.
> 
> > 
> > - FreeBSD 10.1-RELEASE-p9
> > - /dev/bpf available inside jails
> > - firewall logging enabled on the jailhost and also inside the jail
> > 
> > I found https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=178482 (2
> > years old, FreeBSD 9.1 related)
> > 
> > Cheers,
> > Kai.
> > 
> > 
> 
> As PR# 178482 shows this bug has not been addressed in over 2 years and 
> your recent testing shows this bug is still present in the current 
> production RELEASE 10.1 of FreeBSD.
> 
> In a nut shell, VIMAGE is experimental, IPFW was only made vimage aware 
> enough so it would not cause the host to abend. IPFW and vimage still 
> don't integrate correctly.
> 
> The fact that IPFW can run on a host kernel with vimage compiled in and 
> also in a vnet jail at the same time with out blowing up DOESN'T mean 
> that IPFW is really functioning correctly in a vnet jail. The fact that 
> vnet/jail IPFW log messages are being written to the host's IPFW log 
> message file strongly indicates IPFW in a vnet jail is insecure and 
> violates the whole purpose of jail security. To me this is a major show 
> stopper to using vnet/vimage jails at all.

   The last 2 sentences is strange for me. Is problems with IPFW log is so big problem? You can log all traffic on base system and disable log in the guest host. You can disable ipfw in jail completely and do filter traffic on epair[0-9]a interfaces and no need to filter traffic twice.

Cheers,
Vitaliy

More information about the freebsd-jail mailing list