testing 11.0-RC1 vnet jails with pf firewall

Ernie Luzar luzar722 at gmail.com
Wed Aug 17 20:46:15 UTC 2016

Hello list;

Running 11.0-RC1 with only option vimage compiled into the generic kernel.

PF runs fine on the host. Have pf rules to pass and log everything and I 
see what I exspect to see in the hosts pf log. Issuing ifconfig on the 
host shows

pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33184
         groups: pflog

I added this to the vnet jails rc.conf

The jail.conf for the vnet jail has devfsrule # 6 which contains this
add include $devfsrules_jail
add path pf     unhide
add path pfsync unhide
add path pflog  unhide

When I start the vnet jail it comes up just fine. Issuing ifconfig from 
within the vnet jail shows

pflog0: flags=0<> metric 0 mtu 33184
         groups: pflog

You can see pflog0 has been created but not running.
There is no /var/log/pflog file in the vnet jail.

Issuing the "pfctl -sr -vv" command from within the vnet jail shows

No ALTQ support in kernel
ALTQ related functions disabled
@0 pass log (all) quick on epair2b all flags S/SA keep state
   [ Evaluations: 11    Packets: 55    Bytes: 8366    States: 0     ]
   [ Inserted: uid 0 pid 2561 State Creations: 11    ]

I can ping the public from within the vnet jail.

These limited signs seem to indicate the pf firewall is working in some 
limited way in the vnet jail.

The real problem is with pf logging. There is none. The single pass rule 
that runs in the vnet jail should be generating log data from the ipv4 
pings I do and whois packets. There is even nothing in the hosts pf log.

The only things I see in the hosts pf log are ipv6 ping6 multacasts and 
ipv6 dns inquire requests going out the hosts external interface. The 
vimage literature talks about unique firewalls per vnet jail. To me that 
translates into the firewall generating logs in the vnet jail directory 

I rebooted the host and used a kernel compiled with vimage and pf. Got 
same results.

Suggesting about what I can try to get logging working in the vnet jail 
so it logs to the vnet jails directory tree sure would be apprehended.


More information about the freebsd-questions mailing list