Firewalling jails and lo0
Ernie Luzar
luzar722 at gmail.com
Sat Aug 6 16:54:52 UTC 2016
Niklaas Baudet von Gersdorff wrote:
> Ernie Luzar [2016-08-06 12:15 -0400] :
>
>> This bug report will answer your questions for non-vimage jails.
>>
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049
>
> Thanks a lot. So I stumbled upon a security issue? And the only
> way to work around this is by using vimage jails? While vimage
> refers to some virtualisation of the network /within/ the jails?
>
> Niklaas
That is not the un-documented work around solution contained in the PR.
Vimage jails are not mentioned at all. The loopback problem is isolated
to non-vimage jails only.
If your non-vimage jail does not contain a application that uses local
host lo0/127.0.0.x then you don't need to do anything. If there is an
application in your jail that uses lo0/127.0.0.x, then for that jails
jail.conf definition you have to manually activate loopback by adding
lo0:127.0.0.x to the jails ip4_addr parameter value alone with the jails
primary IP address. Then manually change the conf file of all the
applications running in that jail to use that lo0 127.0.0.x IP address.
Or an alternate is to add a statement to the hosts rc.conf to clone the
lo0 interface and them code as above. This means each jail has a unique
loopback ip address.
More information about the freebsd-pf
mailing list