Firewalling jails and lo0
Niklaas Baudet von Gersdorff
stdin at niklaas.eu
Sun Aug 7 08:27:05 UTC 2016
Bjoern A. Zeeb [2016-08-06 20:02 +0000] :
> I am curious about this. Can you give me an (obfuscated) example? (if
> you want in private email)
-- $ jls -v
JID Hostname Path
Name State
CPUSetID
IP Address(es)
[...]
7 mx.box-hlm-03.niklaas.eu /usr/local/jails/smtp1
smtp1 ACTIVE
8
10.3.8.1
fd16:dcc0:f4cc:3::8:1
[...]
24 proxy1.box-hlm-03.niklaas.eu /usr/local/jails/proxy1
proxy1 ACTIVE
5
10.3.2.1
10.77.2.1
fd16:dcc0:f4cc:3::2:1
fd16:dcc0:f4cc:77::2:1
[...]
--
-- $ ifconfig lo1
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
[...]
inet 10.3.8.1 netmask 0xffff0000
inet6 fd16:dcc0:f4cc:3::8:1 prefixlen 64
[...]
inet 10.3.2.1 netmask 0xffff0000
inet 10.77.2.1 netmask 0xffff0000
inet6 fd16:dcc0:f4cc:3::2:1 prefixlen 64
inet6 fd16:dcc0:f4cc:77::2:1 prefixlen 64
[...]
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
--
The following is a /full/ output:
-- $ ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
--
So, as you can see, the jails only have IP addresses on lo1 and
none of them has one on lo0. To make that clear:
-- $ jexec smtp1 ifconfig
[...]
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 10.3.8.1 netmask 0xffff0000
inet6 fd16:dcc0:f4cc:3::8:1 prefixlen 64
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
[...]
--
In my pf.conf I have the following. This is a simplified extract:
-- /etc/pf.conf
1 ext_if = vtnet0
2 jail_if = lo1
3
4 table <proxy> persist
5 table <mail> persist
6
7 set skip on lo0
8
9 nat on $ext_if from { <proxy> <mail> } to any -> <me>
10
11 block log all
12
13 pass out all keep state
14
15 pass in on $jail_if proto tcp from <proxy> to <mail> port { <some-ports> }
--
As you can see I have a principal block in line 11, and skip is
set on lo0 solely. That said, I block on lo1. Because of this,
I pass on lo1 in line 19. I thought this is necessary.
However, here comes the thing: Although the jails have IP addresses
attached to lo1 only, I can see traffic like the following:
-- $ tcpdump -nettti lo0 host 10.3.2.1
00:00:00.023424 AF IPv4 (2), length 64: 10.3.2.1.51096 > 10.3.8.1.9025: Flags [S], seq 4205430985, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 349909592 ecr 0], length 0
00:00:00.000064 AF IPv4 (2), length 64: 10.3.8.1.9025 > 10.3.2.1.51096: Flags [S.], seq 3921176095, ack 4205430986, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 3273771227 ecr 349909592], length 0
00:00:00.000023 AF IPv4 (2), length 56: 10.3.2.1.51096 > 10.3.8.1.9025: Flags [.], ack 1, win 1275, options [nop,nop,TS val 349909592 ecr 3273771227], length 0
--
-- $ tcpdump -nettti lo0 host fd16:dcc0:f4cc:3::8:1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
00:00:00.000000 AF IPv6 (28), length 84: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [S], seq 3339315349, win 65535, options [mss 16324,nop,wscale 6,sackOK,TS val 352469079 ecr 0], length 0
00:00:00.000035 AF IPv6 (28), length 84: fd16:dcc0:f4cc:3::8:1.25 > fd16:dcc0:f4cc:3::2:1.35851: Flags [S.], seq 3726000680, ack 3339315350, win 65535, options [mss 16324,nop,wscale 6,sackOK,TS val 306734766 ecr 352469079], length 0
00:00:00.000044 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [.], ack 1, win 1274, options [nop,nop,TS val 352469079 ecr 306734766], length 0
00:00:05.060320 AF IPv6 (28), length 107: fd16:dcc0:f4cc:3::8:1.25 > fd16:dcc0:f4cc:3::2:1.35851: Flags [P.], seq 1:32, ack 1, win 1274, options [nop,nop,TS val 306739827 ecr 352469079], length 31
00:00:00.000113 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::8:1.25 > fd16:dcc0:f4cc:3::2:1.35851: Flags [F.], seq 32, ack 1, win 1274, options [nop,nop,TS val 306739827 ecr 352469079], length 0 00:00:00.000025 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [.], ack 33, win 1273, options [nop,nop,TS val 352474140 ecr 306739827], length 0 00:00:00.000413 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [F.], seq 1, ack 33, win 1274, options [nop,nop,TS val 352474140 ecr 306739827], length 0
--
As you can see, this is on lo0 although the jails don't have an
IP address on it. That said, restricting traffic on lo1 doesn't
make any sense because the jails use lo0 anyway.
> Are these ::1 connections, link-local addresses (unlikely as they should
> not be visible to jails), or full IP?
As you can see, they are full IP.
> And what’s the routing table entry in the base system for them?
Have a look at the following output of netstat (I removed some lines and cells):
-- $ netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default < > UGS vtnet0
10.0.0.0/8 link#4 U tap0
10.3.2.1 link#3 UH lo1
10.3.8.1 link#3 UH lo1
10.77.2.1 link#3 UH lo1
127.0.0.1 link#2 UH lo0
Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0
default < > UGS vtnet0
::1 link#2 UH lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
< > link#1 U vtnet0
< > link#1 UHS lo0
fd16:dcc0:f4cc:3::/64 link#3 U lo1
fd16:dcc0:f4cc:3::1 link#4 UHS lo0
fd16:dcc0:f4cc:3::2:1 link#3 UHS lo0
fd16:dcc0:f4cc:3::8:1 link#3 UHS lo0
fd16:dcc0:f4cc:77::/64 link#3 U lo1
fd16:dcc0:f4cc:77::2:1 link#3 UHS lo0
fe80::/10 ::1 UGRS lo0
fe80::%vtnet0/64 link#1 U vtnet0
fe80::< >%vtnet0 link#1 UHS lo0
fe80::%lo0/64 link#2 U lo0
fe80::1%lo0 link#2 UHS lo0
fe80::%tap0/64 link#4 U tap0
fe80::< >%tap0 link#4 UHS lo0
ff01::%vtnet0/32 < >%vtnet0 U vtnet0
ff01::%lo0/32 ::1 U lo0
ff01::%lo1/32 fd16:dcc0:f4cc:3::1:1 U lo1
ff01::%tap0/32 fd16:dcc0:f4cc:3::1 U tap0
ff02::/16 ::1 UGRS lo0
ff02::%vtnet0/32 < >%vtnet0 U vtnet0
ff02::%lo0/32 ::1 U lo0
ff02::%lo1/32 fd16:dcc0:f4cc:3::1:1 U lo1
ff02::%tap0/32 fd16:dcc0:f4cc:3::1 U tap0
--
> especially, do they have any IP address assigned to lo0 in them at all?
No, they don't.
Niklaas
More information about the freebsd-pf
mailing list