testing 11.0-RC1 vnet jails with pf firewall
Ernie Luzar
luzar722 at gmail.com
Wed Aug 17 20:46:15 UTC 2016
Hello list;
Running 11.0-RC1 with only option vimage compiled into the generic kernel.
PF runs fine on the host. Have pf rules to pass and log everything and I
see what I exspect to see in the hosts pf log. Issuing ifconfig on the
host shows
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33184
groups: pflog
I added this to the vnet jails rc.conf
pf_enable="YES"
pflog_enable="YES"
The jail.conf for the vnet jail has devfsrule # 6 which contains this
[devfsrules_vjail_pf=6]
add include $devfsrules_jail
add path pf unhide
add path pfsync unhide
add path pflog unhide
When I start the vnet jail it comes up just fine. Issuing ifconfig from
within the vnet jail shows
pflog0: flags=0<> metric 0 mtu 33184
groups: pflog
You can see pflog0 has been created but not running.
There is no /var/log/pflog file in the vnet jail.
Issuing the "pfctl -sr -vv" command from within the vnet jail shows
No ALTQ support in kernel
ALTQ related functions disabled
@0 pass log (all) quick on epair2b all flags S/SA keep state
[ Evaluations: 11 Packets: 55 Bytes: 8366 States: 0 ]
[ Inserted: uid 0 pid 2561 State Creations: 11 ]
I can ping the public from within the vnet jail.
These limited signs seem to indicate the pf firewall is working in some
limited way in the vnet jail.
The real problem is with pf logging. There is none. The single pass rule
that runs in the vnet jail should be generating log data from the ipv4
pings I do and whois packets. There is even nothing in the hosts pf log.
The only things I see in the hosts pf log are ipv6 ping6 multacasts and
ipv6 dns inquire requests going out the hosts external interface. The
vimage literature talks about unique firewalls per vnet jail. To me that
translates into the firewall generating logs in the vnet jail directory
tree.
I rebooted the host and used a kernel compiled with vimage and pf. Got
same results.
Suggesting about what I can try to get logging working in the vnet jail
so it logs to the vnet jails directory tree sure would be apprehended.
Thanks
More information about the freebsd-questions
mailing list