Problem 11.0-RC1 vnet jails with ipfilter

Ernie Luzar luzar722 at gmail.com
Mon Aug 22 22:52:51 UTC 2016


Hello List.

I have a working setup where I am running IPF on the host and in a vnet 
jail at the same time. The problem is I don't think the vnet IPF rules 
are being enforced. To verify the vnet IPF rules are active and being 
enforced, I have a rule to deny outbound for port 43. Port 43 is used by 
the "whois" command. When I issue the "whois" command from the vnet jail 
console, I get whois results when it should not function. I may have 
overlooked something or my testing concept may be faulty, so I am 
requesting some other eyes to review what I am doing for a reason I am 
getting the results I am getting.

I have run the test using a vimage kernel and a vimage/ipf kernel and 
get the same results.

The vnet jail is using this /etc/devfs.rules rule

[devfsrules_vjail_ipf=60]
add include $devfsrules_jail
add path ipl     unhide
add path ipl0    unhide
add path ipf     unhide
add path ipauth  unhide
add path ipnat   unhide
add path ipstate unhide
# used by ipstate
#add path kmem    unhide
#add path kernel  unhide

and yes the "devfs rule showsets" command does show rule number 60.

Issuing the ipfilter command "ipfstat -hnoi" from the host console shows 
these rules

0 @1 pass out quick on lo0 all
0 @2 pass out log quick on fxp0 all
0 @1 pass in quick on lo0 all
1 @2 pass in log quick on fxp0 all

Issuing the ipfilter command "ipfstat -hnoi" from the started vnet jail
console shows these rules

0 @1 pass out quick on lo0 all
0 @2 block out log quick on epair17b proto tcp from any to any port = 
nicname
0 @3 pass out log quick on epair17b all
0 @1 pass in quick on lo0 all
0 @2 pass in log quick on epair17b all

There are 0 counts because the ipstate command is restricted from 
accessing kmem & kernel from inside of the vnet jail.

But this at lease seems to indicate ipfilter is running in the vnet jail.

Issuing the "ping" command from the started vnet jail console works and 
the hosts ipfilter log shows this  [sniped to fit]

fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT
fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN
fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT
fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN
fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT
fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN
fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT
fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN


Issuing the "whois" command from the started vnet jail console works 
also, but should not work because of the block rule on port 43.
The hosts ipfilter log shows this  [sniped to fit]

fxp0 @0:2 p 10.2.0.2,51575 -> 192.0.32.59,43 PR tcp len 20 60 -S OUT
fxp0 @0:2 p 192.0.32.59,43 -> 10.2.0.2,51575 PR tcp len 20 60 -AS IN
fxp0 @0:2 p 10.2.0.2,51575 -> 192.0.32.59,43 PR tcp len 20 52 -A OUT
fxp0 @0:2 p 10.2.0.2,51575 -> 192.0.32.59,43 PR tcp len 20 61 -AP OUT
fxp0 @0:2 p 192.0.32.59,43 -> 10.2.0.2,51575 PR tcp len 20 52 -A IN
fxp0 @0:2 p 192.0.32.59,43 -> 10.2.0.2,51575 PR tcp len 20 367 -AP IN
fxp0 @0:2 p 192.0.32.59,43 -> 10.2.0.2,51575 PR tcp len 20 52 -AF IN
fxp0 @0:2 p 10.2.0.2,51575 -> 192.0.32.59,43 PR tcp len 20 52 -A OUT
fxp0 @0:2 p 10.2.0.2,51575 -> 192.0.32.59,43 PR tcp len 20 52 -AF OUT
fxp0 @0:2 p 10.2.0.2,51903 -> 199.71.0.46,43 PR tcp len 20 60 -S OUT
fxp0 @0:2 p 192.0.32.59,43 -> 10.2.0.2,51575 PR tcp len 20 52 -A IN
fxp0 @0:2 p 199.71.0.46,43 -> 10.2.0.2,51903 PR tcp len 20 60 -AS IN
fxp0 @0:2 p 10.2.0.2,51903 -> 199.71.0.46,43 PR tcp len 20 52 -A OUT
fxp0 @0:2 p 10.2.0.2,51903 -> 199.71.0.46,43 PR tcp len 20 63 -AP OUT
fxp0 @0:2 p 199.71.0.46,43 -> 10.2.0.2,51903 PR tcp len 20 52 -A IN
fxp0 @0:2 p 199.71.0.46,43 -> 10.2.0.2,51903 PR tcp len 20 293 -AP IN
fxp0 @0:2 p 199.71.0.46,43 -> 10.2.0.2,51903 PR tcp len 20 1500 -A IN


I would think that this indicates that the ipfilter rules in a vnet jail 
are not functioning.

I can start the vnet jail without any firewall running in it and get the 
same results.

Thanks for your help.







More information about the freebsd-questions mailing list