Firewalling jails and lo0
Ernie Luzar
luzar722 at gmail.com
Sat Aug 6 16:15:20 UTC 2016
Niklaas Baudet von Gersdorff wrote:
> Hi,
>
> In the manual I read the advice to disable the firewall on the
> loopback interface (`set skip on lo0`) It makes sense to me: Why
> would I want to firewall traffic on the loopback interface?
>
> I have jails with IPs assigned on lo1. Intentionally I do /not/
> `set skip on lo1` because I also want to restrict traffic (in and
> out) from and to the jails. (In case one of them becomes
> infiltrated.)
>
> However, today I realized that some connections originating from
> these jails use the loopback interface lo0. That said, they
> "circumvent" the firewall I set on lo1. `tcpdump` shows
> connections on lo0 from and to jails' IPs (especially IPv6s)
> although these IPs are solely assigned to lo1.
>
> I was quite surprised by that behavior. So, if I want to isolate
> the jails and restrict traffic from an to them, will I need to
> remove skipping on lo0 and block there too?
>
> Any advice and explanation is very much appreciated.
>
> Niklaas
This bug report will answer your questions for non-vimage jails.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049
More information about the freebsd-questions
mailing list