testing 11.0-RC1 vnet jails with ipfilter

Lars Engels lars.engels at 0x20.net
Wed Aug 17 07:22:49 UTC 2016 

On Tue, Aug 16, 2016 at 09:05:28PM -0400, Ernie Luzar wrote:
> Bjoern A. Zeeb wrote:
> > On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote:
> > 
> >> On 08/16/2016 03:21 PM, Ernie Luzar wrote:
> >> <snip>
> >>> Issuing "ipf -FS -Fa" command from within the vnet jail gives this
> >>> message, "open device:no such file or directory. User kernel version
> >>> check failed.
> >>
> >> According to ipf(8), the ipfilter utilities touch /dev/ipauth , /dev/ipl
> >> , and /dev/ipstate . Have you checked that the devfs ruleset applied to
> >> your jail has those unhidden?
> >>
> >>> Issuing "ipfstat -hnio command from within the vnet jail gives this
> >>> message, open(IPSTATE_NAME):no such file or directory.
> >>
> >> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be a
> >> bad idea.
> > 
> > /dev/kmem is a bad idea;  I should go and check what it is using it for 
> > and if needed we should fix that.
> > 
> > 
> > I guess the general thing is that we might want to create another 
> > default set of devfs rules which include additional nodes we now 
> > consider safe inside VNET jails;  the jail.conf still needs to know the 
> > right ruleset to apply, so the jail.conf would need to specify the other 
> > devfs_ruleset=“..” for vnet jails.  Maybe Jamie could then come up with 
> > an intelligent solution that would automatically flip things if option 
> > vnet is set?   I guess jail.conf(5) will need more examples for these 
> > things as well.
> > 
> > 
> > /bz
> > 
> 
> If thats the road you are thinking of going down, then we have to look 
> at the big picture. Is another rule set say number 5 that includes rule 
> set number 4 plus the nodes for ipfilter, pf, and ipfw. Or maybe a 
> separate rule set for each firewall which is more secure.
> 
> There is no way jail(8) could know which firewall if any was going to be 
> run in the vnet jail to select the correct rule if there were separate 
> rules for each firewall. A combined rule set containing everything 
> needed for all 3 firewalls would be something jail(8) could auto default 
> to if vnet option was coded.
> 
> In light of 11.0 release being published soon there should be something 
> posted to the release notes talking about this with sample code for a 
> combined rule #5. This would give vnet users a copy & paste solution to 
> use until jail(8) gets updated in 11.1.
> 
> I tried this rule set in /etc/devfs.rules
> 
> [devfsrules_jail=5]
> add include $devfsrules_jail
> add path /dev/ipl unhide
> add path /dev/ipauth unhide
> add path /dev/ipstate unhide

I think you have to remove '/dev/'
> 
> Boot time get error message that this was invalid.
> 
> If I could get a correct syntax combined rule #5 file, I could continue 
>   testing all 3 firewalls using 11.0-RC1.
> 
> Your help would be greatly appreciated.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 603 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20160817/0cc203e6/attachment.sig>

More information about the freebsd-jail mailing list