Firewalling jails and lo0

Niklaas Baudet von Gersdorff stdin at niklaas.eu
Mon Aug 8 08:19:19 UTC 2016 

Ernie Luzar [2016-08-07 13:20 -0400] :

> > Aha. So once I assigned those traffic from/to jails should go
> > through lo1 solely?
> 
> YES.

Thank you for clarifying that and your help. So, I attached
additional IP addresses on the jail host side accordingly:

  lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
          [...]
          inet 127.77.0.1 netmask 0xff000000
					inet6 ::77:0:0:0:1 prefixlen 128
          nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

However, I still see packets being transmitted over lo0.

What I tried then was attaching loopback addresses to the jails,
like 127.77.2.1/8 and ::77:0:0:2:1/128. I did that for two jails
(each on a different subnet) and checked with telnet whether they
would start communicating over lo1. They didn't though.

> I am still missing info on your jail.conf. Post the jail.conf file for the
> jails in question.

The following is an extract of /etc/jail.conf.

     1	$box                   = "box-hlm-03";
     2	$box_jail_net          = "3";
     3	
     4	$private_ip4           = "10.$box_jail_net.$network.$id";
     5	$private_ip4_prefixlen = "16";
     6	$private_ip6           = "fd16:dcc0:f4cc:$box_jail_net::$network:$id";
     7	$private_ip6_prefixlen = "64";
     8	$local_ip4             = "10.77.$network.$id";
     9	$local_ip6             = "fd16:dcc0:f4cc:77::$network:$id";
    10	$loopback_ip4          = "127.77.$network.$id";
    11	$loopback_ip6          = "0:0:0:77::$network:$id";
    12	$loopback_ip4_prefixlen = "8";
    13	$loopback_ip6_prefixlen = "128";
    14	
    15	host.hostname = "$name.$box.klaas";
    16	path          = "/usr/local/jails/$name";
    17	ip4.addr      = "lo1|$private_ip4/$private_ip4_prefixlen";
    18	ip6.addr      = "lo1|$private_ip6/$private_ip6_prefixlen";
    19	ip4.addr     += "lo1|$local_ip4/$private_ip4_prefixlen";
    20	ip6.addr     += "lo1|$local_ip6/$private_ip6_prefixlen";
    21	ip4.addr     += "lo1|$loopback_ip4/$loopback_ip4_prefixlen";
    22	ip6.addr     += "lo1|$loopback_ip6/$loopback_ip6_prefixlen";
    23	mount         = "/usr/local/jails/templates/base-10.3-RELEASE /usr/local/jails/$name      nullfs ro 0 0";
    24	mount        += "/usr/local/jails/thinjails/$name             /usr/local/jails/$name/jail nullfs rw 0 0";
    25	mount.devfs;
    26	
    27	exec.start    = "/bin/sh /etc/rc";
    28	exec.stop     = "/bin/sh /etc/rc.shutdown";
    29	exec.clean;
    30	
    31	exec.prestart  = "pfctl -t $class -T add    $private_ip4 $private_ip6 $local_ip6 $local_ip4";
    32	exec.prestop   = "pfctl -t $class -T delete $private_ip4 $private_ip6 $local_ip6 $local_ip4";
    33	
    34	exec.consolelog = "/usr/local/jails/$name.log";
    35	
    36	proxy1 {
    37	    host.hostname   = "$name.$box.niklaas.eu";
    38	    $network        = 2;
    39	    $id             = 1;
    40	    $class          = "proxy";
    41	    exec.poststart += "echo 'rdr pass inet6 proto tcp to ( vtnet0 ) port { http https imaps submission smtp } -> $private_ip6' | pfctl -a 'jails/$name-ipv6' -f -";
    42	    exec.poststart += "echo 'rdr pass inet  proto tcp to ( vtnet0 ) port { http https imaps submission smtp } -> $private_ip4' | pfctl -a 'jails/$name-ipv4' -f -";
    43	    exec.poststop  += "pfctl -a jails/$name-ipv6 -F all";
    44	    exec.poststop  += "pfctl -a jails/$name-ipv4 -F all";
    45	}
    46	
    47	smtp1 {
    48	    host.hostname   = "mx.$box.niklaas.eu";
    49	    $network        = 8;
    50	    $id             = 1;
    51	    $class          = "mail";
    52	}

> Also what services are running on the host that you want to
> communicate with the smtp jail. You have to change the smtp
> config file to tell it to use the new lo1:127.0.10.2 ip address
> and you have to do the same thing for what ever host service
> will communicate with the smtp jail. They all have to be using
> the same lo1:127.0.10.2 ip. Most admin just keep those types of
> services on the host because its just easier.

I am not sure whether I really want to do what you think I want
to. :-) I would like to restrict the jails to solely use the
interface they have an IP address attached to -- regardless of
the running services in them.

The only reason why I intend such a restriction is to limit the
damage a potentially malicious jail can cause to other jails. If
I configured the services to listen on the address you described
above -- while I might make them use lo1 exclusively -- this
would not prevent any malicious program from using lo0.

My issue can be reduced to the question: When using jails, to
secure network traffic as best as I can, do I have to enable the
firewall on lo0 or is enabling it on the interface they are
attached to (in my case lo1) enough?

And: What do I need to do to restrict jails from using lo0?

Sorry, if I misunderstood you.

    Niklaas

More information about the freebsd-pf mailing list