testing 11.0-RC1 vnet jails with ipfilter
Ernie Luzar
luzar722 at gmail.com
Wed Aug 17 01:04:56 UTC 2016
Bjoern A. Zeeb wrote:
> On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote:
>
>> On 08/16/2016 03:21 PM, Ernie Luzar wrote:
>> <snip>
>>> Issuing "ipf -FS -Fa" command from within the vnet jail gives this
>>> message, "open device:no such file or directory. User kernel version
>>> check failed.
>>
>> According to ipf(8), the ipfilter utilities touch /dev/ipauth , /dev/ipl
>> , and /dev/ipstate . Have you checked that the devfs ruleset applied to
>> your jail has those unhidden?
>>
>>> Issuing "ipfstat -hnio command from within the vnet jail gives this
>>> message, open(IPSTATE_NAME):no such file or directory.
>>
>> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be a
>> bad idea.
>
> /dev/kmem is a bad idea; I should go and check what it is using it for
> and if needed we should fix that.
>
>
> I guess the general thing is that we might want to create another
> default set of devfs rules which include additional nodes we now
> consider safe inside VNET jails; the jail.conf still needs to know the
> right ruleset to apply, so the jail.conf would need to specify the other
> devfs_ruleset=“..” for vnet jails. Maybe Jamie could then come up with
> an intelligent solution that would automatically flip things if option
> vnet is set? I guess jail.conf(5) will need more examples for these
> things as well.
>
>
> /bz
>
If thats the road you are thinking of going down, then we have to look
at the big picture. Is another rule set say number 5 that includes rule
set number 4 plus the nodes for ipfilter, pf, and ipfw. Or maybe a
separate rule set for each firewall which is more secure.
There is no way jail(8) could know which firewall if any was going to be
run in the vnet jail to select the correct rule if there were separate
rules for each firewall. A combined rule set containing everything
needed for all 3 firewalls would be something jail(8) could auto default
to if vnet option was coded.
In light of 11.0 release being published soon there should be something
posted to the release notes talking about this with sample code for a
combined rule #5. This would give vnet users a copy & paste solution to
use until jail(8) gets updated in 11.1.
I tried this rule set in /etc/devfs.rules
[devfsrules_jail=5]
add include $devfsrules_jail
add path /dev/ipl unhide
add path /dev/ipauth unhide
add path /dev/ipstate unhide
Boot time get error message that this was invalid.
If I could get a correct syntax combined rule #5 file, I could continue
testing all 3 firewalls using 11.0-RC1.
Your help would be greatly appreciated.
More information about the freebsd-questions
mailing list