Firewalling jails and lo0

Sun Aug 7 14:20:25 UTC 2016

Niklaas Baudet von Gersdorff wrote:
> Bjoern A. Zeeb [2016-08-06 20:02 +0000] :
> 
>> I am curious about this.  Can you give me an (obfuscated) example?  (if 
>> you want in private email)
> 
> -- $ jls -v
>    JID  Hostname                      Path
>         Name                          State
>         CPUSetID
>         IP Address(es)
>   [...]
>      7  mx.box-hlm-03.niklaas.eu      /usr/local/jails/smtp1
>         smtp1                         ACTIVE
>         8     
>         10.3.8.1       
>         fd16:dcc0:f4cc:3::8:1
>   [...]
>     24  proxy1.box-hlm-03.niklaas.eu  /usr/local/jails/proxy1
>         proxy1                        ACTIVE
>         5     
>         10.3.2.1       
>         10.77.2.1      
>         fd16:dcc0:f4cc:3::2:1
>         fd16:dcc0:f4cc:77::2:1
>   [...]
> --
> 
> -- $ ifconfig lo1
>   lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>     options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>   [...]
>     inet 10.3.8.1 netmask 0xffff0000 
>     inet6 fd16:dcc0:f4cc:3::8:1 prefixlen 64 
>   [...]
>     inet 10.3.2.1 netmask 0xffff0000 
>     inet 10.77.2.1 netmask 0xffff0000 
>     inet6 fd16:dcc0:f4cc:3::2:1 prefixlen 64 
>     inet6 fd16:dcc0:f4cc:77::2:1 prefixlen 64 
>   [...]
>     nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> --
> 
> The following is a /full/ output:
> 
> -- $ ifconfig lo0
>   lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>     options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>     inet6 ::1 prefixlen 128 
>     inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
>     inet 127.0.0.1 netmask 0xff000000 
>     nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> --
> 
> So, as you can see, the jails only have IP addresses on lo1 and
> none of them has one on lo0. To make that clear:
> 
> -- $ jexec smtp1 ifconfig
>   [...]
>   lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>     options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>     nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>   lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>     options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>     inet 10.3.8.1 netmask 0xffff0000 
>     inet6 fd16:dcc0:f4cc:3::8:1 prefixlen 64 
>     nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>   [...]
> --
> 
> In my pf.conf I have the following. This is a simplified extract:
> 
> -- /etc/pf.conf
>    1   ext_if            = vtnet0
>    2   jail_if           = lo1
>    3  
>    4   table <proxy>       persist
>    5   table <mail>        persist
>    6  
>    7   set skip on lo0 
>    8  
>    9   nat on $ext_if from { <proxy> <mail> } to any -> <me>
>   10  
>   11   block log all
>   12  
>   13   pass out all keep state
>   14  
>   15   pass in on $jail_if proto tcp from <proxy> to <mail>    port { <some-ports> }
> --
> 
> As you can see I have a principal block in line 11, and skip is
> set on lo0 solely. That said, I block on lo1. Because of this,
> I pass on lo1 in line 19. I thought this is necessary.
> 
> However, here comes the thing: Although the jails have IP addresses
> attached to lo1 only, I can see traffic like the following:
> 
> -- $ tcpdump -nettti lo0 host 10.3.2.1
>   00:00:00.023424 AF IPv4 (2), length 64: 10.3.2.1.51096 > 10.3.8.1.9025: Flags [S], seq 4205430985, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 349909592 ecr 0], length 0
>   00:00:00.000064 AF IPv4 (2), length 64: 10.3.8.1.9025 > 10.3.2.1.51096: Flags [S.], seq 3921176095, ack 4205430986, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 3273771227 ecr 349909592], length 0
>   00:00:00.000023 AF IPv4 (2), length 56: 10.3.2.1.51096 > 10.3.8.1.9025: Flags [.], ack 1, win 1275, options [nop,nop,TS val 349909592 ecr 3273771227], length 0
> --
> 
> -- $ tcpdump -nettti lo0 host fd16:dcc0:f4cc:3::8:1                                          
>   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>   listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
>   00:00:00.000000 AF IPv6 (28), length 84: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [S], seq 3339315349, win 65535, options [mss 16324,nop,wscale 6,sackOK,TS val 352469079 ecr 0], length 0
>   00:00:00.000035 AF IPv6 (28), length 84: fd16:dcc0:f4cc:3::8:1.25 > fd16:dcc0:f4cc:3::2:1.35851: Flags [S.], seq 3726000680, ack 3339315350, win 65535, options [mss 16324,nop,wscale 6,sackOK,TS val 306734766 ecr 352469079], length 0
>   00:00:00.000044 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [.], ack 1, win 1274, options [nop,nop,TS val 352469079 ecr 306734766], length 0
>   00:00:05.060320 AF IPv6 (28), length 107: fd16:dcc0:f4cc:3::8:1.25 > fd16:dcc0:f4cc:3::2:1.35851: Flags [P.], seq 1:32, ack 1, win 1274, options [nop,nop,TS val 306739827 ecr 352469079], length 31
>   00:00:00.000113 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::8:1.25 > fd16:dcc0:f4cc:3::2:1.35851: Flags [F.], seq 32, ack 1, win 1274, options [nop,nop,TS val 306739827 ecr 352469079], length 0                                00:00:00.000025 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [.], ack 33, win 1273, options [nop,nop,TS val 352474140 ecr 306739827], length 0                                        00:00:00.000413 AF IPv6 (28), length 76: fd16:dcc0:f4cc:3::2:1.35851 > fd16:dcc0:f4cc:3::8:1.25: Flags [F.], seq 1, ack 33, win 1274, options [nop,nop,TS val 352474140 ecr 306739827], length 0
> --
> 
> As you can see, this is on lo0 although the jails don't have an
> IP address on it. That said, restricting traffic on lo1 doesn't
> make any sense because the jails use lo0 anyway.
> 
>> Are these ::1 connections, link-local addresses (unlikely as they should 
>> not be visible to jails), or full IP?
> 
> As you can see, they are full IP.
> 
>> And what’s the routing table entry in the base system for them?
> 
> Have a look at the following output of netstat (I removed some lines and cells):
> 
> -- $ netstat -rn
>   Routing tables
> 
>   Internet:
>   Destination        Gateway            Flags      Netif Expire
>   default            <          >       UGS      vtnet0
>   10.0.0.0/8         link#4             U          tap0
>   10.3.2.1           link#3             UH          lo1
>   10.3.8.1           link#3             UH          lo1
>   10.77.2.1          link#3             UH          lo1
>   127.0.0.1          link#2             UH          lo0
> 
>   Internet6:
>   Destination                       Gateway                       Flags      Netif Expire
>   ::/96                             ::1                           UGRS        lo0
>   default                           <                  >          UGS      vtnet0
>   ::1                               link#2                        UH          lo0
>   ::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
>   <                       >         link#1                        U        vtnet0
>   <                               > link#1                        UHS         lo0
>   fd16:dcc0:f4cc:3::/64             link#3                        U           lo1
>   fd16:dcc0:f4cc:3::1               link#4                        UHS         lo0
>   fd16:dcc0:f4cc:3::2:1             link#3                        UHS         lo0
>   fd16:dcc0:f4cc:3::8:1             link#3                        UHS         lo0
>   fd16:dcc0:f4cc:77::/64            link#3                        U           lo1
>   fd16:dcc0:f4cc:77::2:1            link#3                        UHS         lo0
>   fe80::/10                         ::1                           UGRS        lo0
>   fe80::%vtnet0/64                  link#1                        U        vtnet0
>   fe80::<                >%vtnet0   link#1                        UHS         lo0
>   fe80::%lo0/64                     link#2                        U           lo0
>   fe80::1%lo0                       link#2                        UHS         lo0
>   fe80::%tap0/64                    link#4                        U          tap0
>   fe80::<             >%tap0        link#4                        UHS         lo0
>   ff01::%vtnet0/32                  <                      >%vtnet0 U        vtnet0
>   ff01::%lo0/32                     ::1                           U           lo0
>   ff01::%lo1/32                     fd16:dcc0:f4cc:3::1:1         U           lo1
>   ff01::%tap0/32                    fd16:dcc0:f4cc:3::1           U          tap0
>   ff02::/16                         ::1                           UGRS        lo0
>   ff02::%vtnet0/32                  <                      >%vtnet0 U        vtnet0
>   ff02::%lo0/32                     ::1                           U           lo0
>   ff02::%lo1/32                     fd16:dcc0:f4cc:3::1:1         U           lo1
>   ff02::%tap0/32                    fd16:dcc0:f4cc:3::1           U          tap0
> --
> 
>> especially, do they have any IP address assigned to lo0 in them at all?
> 
> No, they don't.
> 
>     Niklaas

I believe the loopback interface lo1 needs 127.0.0.0/8 ip address to 
enable loopback functionally, and the ip address has to be a different 
sub-net. IE 127.0.10.1 for lo1 while the hosts lo0 uses 127.0.0.1