Filtering outbound traffic for private address jails?

Sun Jun 26 10:02:42 UTC 2016

Hello.

On 2016-06-25T17:17:53 -0600
Alan Somers <asomers at freebsd.org> wrote:
> 
> I'm filtering outbound traffic, but I'm not using NAT on the jail
> host.  Instead, I have a dedicated router doing NAT, and my jail host
> has multiple IP addresses.  At first I tried using traditional
> shared-address jails, but the firewall rules quickly got very
> complicated, especially for dealing with IPv6 and other non-IPv4
> traffic.  So I switched to using vimage jails.  I use iocage to setup
> my jails, and pf to filter them.  A simplified version of my pf.conf
> follows:

As far as I'm aware, I cannot do this. I'm using a VPS that gives me
exactly one public IP address. If I want multiple addresses, they have
to be private addresses (on loopback, or possibly via something like
vnet) and I have to use some sort of software solution to expose them
to the outside world (and filter in/out).

> www_services = "{ http, https, 8080 }"
> host_iface = "em0"
> dmz_iface = "em1"
> www_jail_iface = "vnet0:1"
> www_ip = "192.168.0.40"
> set state-policy if-bound
> 
> scrub in
> block in all
> block out all
> 
> pass in on $host_iface
> pass out on $host_iface
> set skip on lo0
> 
> # Allow all traffic to the DMZ.  Filtering happens on individual vnet
> # interfaces
> pass in on $dmz_iface
> pass out on $dmz_iface
> 
> # Put the www jail in a DMZ.  Don't allow outgoing traffic from it except for
> # the webserver
> pass out on $www_jail_iface proto tcp to $www_ip port $www_services keep state
> # Uncomment next line to allow outbound traffice from www jail
> # pass in on $www_jail_iface

I'm not sure I fully understand. $host_iface and $dmz_iface are real
physical NICs? $www_jail_iface obviously isn't. I understand how
$dmz_iface and $www_jail_iface interact: Packets sent from the jail are
incoming on $www_jail_iface and outbound on $dmz_iface, but how is
$host_iface involved?

M