Firewalling jails and lo0

Ernie Luzar luzar722 at
Sat Aug 6 16:15:20 UTC 2016

Niklaas Baudet von Gersdorff wrote:
> Hi,
> In the manual I read the advice to disable the firewall on the
> loopback interface (`set skip on lo0`) It makes sense to me: Why
> would I want to firewall traffic on the loopback interface?
> I have jails with IPs assigned on lo1. Intentionally I do /not/
> `set skip on lo1` because I also want to restrict traffic (in and
> out) from and to the jails. (In case one of them becomes
> infiltrated.)
> However, today I realized that some connections originating from
> these jails use the loopback interface lo0. That said, they
> "circumvent" the firewall I set on lo1. `tcpdump` shows
> connections on lo0 from and to jails' IPs (especially IPv6s)
> although these IPs are solely assigned to lo1.
> I was quite surprised by that behavior. So, if I want to isolate
> the jails and restrict traffic from an to them, will I need to
> remove skipping on lo0 and block there too?
> Any advice and explanation is very much appreciated.
>     Niklaas

This bug report will answer your questions for non-vimage jails.

More information about the freebsd-questions mailing list