ipfw not blocking inter jail ip traffic
steve at ibctech.ca
Sat Nov 21 14:07:55 UTC 2009
> Have 2 jails and I don't want them to be able to reach other.
> gulag:#ifconfig em0
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> ether 08:00:27:03:18:ea
> inet 172.20.6.50 netmask 0xffffff00 broadcast 172.20.6.255
> inet 172.20.6.209 netmask 0xffffff00 broadcast 172.20.6.255
> inet 172.20.6.211 netmask 0xffffff00 broadcast 172.20.6.255
> gulag:#ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 10000 deny ip from 172.20.6.209 to 172.20.6.211
> 10001 deny ip from 172.20.6.211 to 172.20.6.209
> 40000 deny ip from 172.20.6.209 to any
> 65000 allow ip from any to any
> 65535 deny ip from any to any
> The two jails [.209 and .211] can still ping each other.
> Even with rule 40000, the .209 jail can ping/ssh to the .211 jail, but of
> course cannot ping the gateway...
> If I remove rule '100' from the list, jails are no longer able to ping
> each other - Although the IPs are on em0, why is the rule with lo0 letting
> them pass?
Because, AFAIK, traffic that stays within the box never crosses the
external (ie: non-loopback) interface planes.
> Does lo0 mean ALL ips assigned to server? or does it mean
> loopback interface:
It means loopback interface. Essentially, all traffic that originates
and is destined to itself stays within the loopback.
ipfw add 40000 deny all from 172.20.6.211 to 172.20.6.209 via lo0
The following would allow you block access from .211 to ANY other IP
(jail) on the box (I *think* it would still permit network destined
ipfw add xxxx deny all from 172.20.6.211 to me
More information about the freebsd-net