Firewalling jails and lo0
Niklaas Baudet von Gersdorff
stdin at niklaas.eu
Mon Aug 8 08:19:19 UTC 2016
Ernie Luzar [2016-08-07 13:20 -0400] :
> > Aha. So once I assigned those traffic from/to jails should go
> > through lo1 solely?
>
> YES.
Thank you for clarifying that and your help. So, I attached
additional IP addresses on the jail host side accordingly:
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
[...]
inet 127.77.0.1 netmask 0xff000000
inet6 ::77:0:0:0:1 prefixlen 128
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
However, I still see packets being transmitted over lo0.
What I tried then was attaching loopback addresses to the jails,
like 127.77.2.1/8 and ::77:0:0:2:1/128. I did that for two jails
(each on a different subnet) and checked with telnet whether they
would start communicating over lo1. They didn't though.
> I am still missing info on your jail.conf. Post the jail.conf file for the
> jails in question.
The following is an extract of /etc/jail.conf.
1 $box = "box-hlm-03";
2 $box_jail_net = "3";
3
4 $private_ip4 = "10.$box_jail_net.$network.$id";
5 $private_ip4_prefixlen = "16";
6 $private_ip6 = "fd16:dcc0:f4cc:$box_jail_net::$network:$id";
7 $private_ip6_prefixlen = "64";
8 $local_ip4 = "10.77.$network.$id";
9 $local_ip6 = "fd16:dcc0:f4cc:77::$network:$id";
10 $loopback_ip4 = "127.77.$network.$id";
11 $loopback_ip6 = "0:0:0:77::$network:$id";
12 $loopback_ip4_prefixlen = "8";
13 $loopback_ip6_prefixlen = "128";
14
15 host.hostname = "$name.$box.klaas";
16 path = "/usr/local/jails/$name";
17 ip4.addr = "lo1|$private_ip4/$private_ip4_prefixlen";
18 ip6.addr = "lo1|$private_ip6/$private_ip6_prefixlen";
19 ip4.addr += "lo1|$local_ip4/$private_ip4_prefixlen";
20 ip6.addr += "lo1|$local_ip6/$private_ip6_prefixlen";
21 ip4.addr += "lo1|$loopback_ip4/$loopback_ip4_prefixlen";
22 ip6.addr += "lo1|$loopback_ip6/$loopback_ip6_prefixlen";
23 mount = "/usr/local/jails/templates/base-10.3-RELEASE /usr/local/jails/$name nullfs ro 0 0";
24 mount += "/usr/local/jails/thinjails/$name /usr/local/jails/$name/jail nullfs rw 0 0";
25 mount.devfs;
26
27 exec.start = "/bin/sh /etc/rc";
28 exec.stop = "/bin/sh /etc/rc.shutdown";
29 exec.clean;
30
31 exec.prestart = "pfctl -t $class -T add $private_ip4 $private_ip6 $local_ip6 $local_ip4";
32 exec.prestop = "pfctl -t $class -T delete $private_ip4 $private_ip6 $local_ip6 $local_ip4";
33
34 exec.consolelog = "/usr/local/jails/$name.log";
35
36 proxy1 {
37 host.hostname = "$name.$box.niklaas.eu";
38 $network = 2;
39 $id = 1;
40 $class = "proxy";
41 exec.poststart += "echo 'rdr pass inet6 proto tcp to ( vtnet0 ) port { http https imaps submission smtp } -> $private_ip6' | pfctl -a 'jails/$name-ipv6' -f -";
42 exec.poststart += "echo 'rdr pass inet proto tcp to ( vtnet0 ) port { http https imaps submission smtp } -> $private_ip4' | pfctl -a 'jails/$name-ipv4' -f -";
43 exec.poststop += "pfctl -a jails/$name-ipv6 -F all";
44 exec.poststop += "pfctl -a jails/$name-ipv4 -F all";
45 }
46
47 smtp1 {
48 host.hostname = "mx.$box.niklaas.eu";
49 $network = 8;
50 $id = 1;
51 $class = "mail";
52 }
> Also what services are running on the host that you want to
> communicate with the smtp jail. You have to change the smtp
> config file to tell it to use the new lo1:127.0.10.2 ip address
> and you have to do the same thing for what ever host service
> will communicate with the smtp jail. They all have to be using
> the same lo1:127.0.10.2 ip. Most admin just keep those types of
> services on the host because its just easier.
I am not sure whether I really want to do what you think I want
to. :-) I would like to restrict the jails to solely use the
interface they have an IP address attached to -- regardless of
the running services in them.
The only reason why I intend such a restriction is to limit the
damage a potentially malicious jail can cause to other jails. If
I configured the services to listen on the address you described
above -- while I might make them use lo1 exclusively -- this
would not prevent any malicious program from using lo0.
My issue can be reduced to the question: When using jails, to
secure network traffic as best as I can, do I have to enable the
firewall on lo0 or is enabling it on the interface they are
attached to (in my case lo1) enough?
And: What do I need to do to restrict jails from using lo0?
Sorry, if I misunderstood you.
Niklaas
More information about the freebsd-questions
mailing list