kern/130102: 'pfctl -d' from inside a jail disables pf on the
jail host
Remko Lodder
remko at elvandar.org
Thu Jan 1 21:50:05 UTC 2009
The following reply was made to PR kern/130102; it has been noted by GNATS.
From: Remko Lodder <remko at elvandar.org>
To: Stefan Hegnauer <stefan.hegnauer at gmx.ch>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: kern/130102: 'pfctl -d' from inside a jail disables pf on the jail host
Date: Thu, 1 Jan 2009 22:49:11 +0100
>>
> FreeBSD jailhost.x.y.z 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #9: Wed
> Dec 31 09:05:43 CET 2008 root at jailhost.x.y.z:/usr/obj/usr/src/
> sys/IBMT20 i386
>> Description:
> I have a jail host (192.168.1.10) with two jails running, webjail
> (192.168.1.80) and mailjail (192.168.1.25). The host uses pf for
> some additional protection on the single network interface facing my
> DMZ router, with rules for the two jailed hosts. So far everything
> seems to work as intended.
> The setup of the jails is according to the descriptions in the
> jail(8) manual page with no deviations.
>
> If I use pfctl(8) as root in one of the jails it is possible to
> control pf(4) that runs on the host. For example I can disable pf on
> the host altogether using 'pfctl -d', or re-enable it again with
> 'pfctl -e', or load a different ruleset with 'pfctl -f <rulefile>'
> etc.
> It seems that pfctl easily gets out of the jail which I did not
> expect, and I did also not find any reference of this behaviour in
> the handbook, the FAQ, the PR database or anywhere else on the net
>> How-To-Repeat:
> - have enabled in the kernel (device pf, device pflog)
> - set up a jail system with at least one jail according to jail(8)
> man page
> - run pf on the host, load some rules and enable pf (pfctl -ef
> <rule_file>)
> - run 'pfctl -d' as root within a jail -> pf is disabled on the host
> (pfctl -si)
>> Fix:
>
Can you perhaps tell us more about the setup you are having with the
jails? showing the devfs ruleset that is being used for the jails etc?
Normally the /dev/pf node isn't visible in jails and this shouldn't
happen..
Thanks,
Remko
--
/"\ Best regards, | remko at FreeBSD.org
\ / Remko Lodder | remko at EFnet
X http://www.evilcoder.org/ |
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-bugs
mailing list