Firewalling jails and lo0
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Sat Aug 6 20:02:53 UTC 2016
On 6 Aug 2016, at 15:54, Niklaas Baudet von Gersdorff wrote:
> Hi,
>
> In the manual I read the advice to disable the firewall on the
> loopback interface (`set skip on lo0`) It makes sense to me: Why
> would I want to firewall traffic on the loopback interface?
>
> I have jails with IPs assigned on lo1. Intentionally I do /not/
> `set skip on lo1` because I also want to restrict traffic (in and
> out) from and to the jails. (In case one of them becomes
> infiltrated.)
>
> However, today I realised that some connections originating from
> these jails use the loopback interface lo0. That said, they
> "circumvent" the firewall I set on lo1. `tcpdump` shows
> connections on lo0 from and to jails' IPs (especially IPv6s)
> although these IPs are solely assigned to lo1.
I am curious about this. Can you give me an (obfuscated) example? (if
you want in private email)
Are these ::1 connections, link-local addresses (unlikely as they should
not be visible to jails), or full IP?
And what’s the routing table entry in the base system for them?
Also do these jails have multiple IP address per-address family, and
especially, do they have any IP address assigned to lo0 in them at all?
More information about the freebsd-pf
mailing list