how to make a non-vnet jail local only?

Arthur Chance freebsd at
Wed Aug 5 16:09:33 UTC 2020

On 05/08/2020 15:17, Ernie Luzar wrote:
> Arthur Chance wrote:
>> On 05/08/2020 02:02, Ernie Luzar wrote:
>>> I have non-vnet jails working that can reach the public internet.
>>> But now I would like to make some local only non-vnet jails that can
>>> only access other local only non-vnet jails. BY local meaning have no
>>> access to the public internet.
>>> How do I make this happen?
>>> Thanks for any pointers.
>> Create a second loopback interface (cloned_interfaces="lo1" in
>> /etc/rc.conf or ifconfig lo1 create for manual control) and put the
>> local jails on lo1 without access to any other interface.
> I tested this already and it doesn't work.
> non-vnet jail with lo99 for the nic and ip address of can
> still reach the public internet.

This surprises me. It's a while since I looked at the network handling
code, but I was under the impression any packet, whatever its address,
on an interface with the LOOPBACK flag set was not routed off the
machine. But see below.

> Also tested a non-vnet jail with re0 for the nic and ip address of
> and it can NOT reach the public internet.
> Created a second non-vnet jail with re0 for the nic and ip address of
> and it can NOT reach the public internet.

Also in the network code, any packet with a loopback address as either
source or destination is not routed off machine. This behaviour is
mandated by RFC 1122. It obviously works, no matter what the interface.
However, using a loopback address on a non-loopback interface is logged
as a bad address. You're not supposed to put loopback addresses on non
loopback interfaces.

> But these 2 jails can ping each other.

This does not involve off machine routing. Given that you wanted
non-vnet jails to talk to each other, this would seem to be exactly what
you need.

> So the nic loX has nothing to do with limiting the non-vnet jail to
> local host access only. Based on the above 2 tests it looks like the
> through ip address range is the local host
> controlling factor.
> Just to cover all the bases. The host firewall allows the lo0 interface
> to pass without any rules. The lo99 interface has no firewall rules at
> all or any NAT rules for is the only ip address
> range being NATed.

I suspect (well, guess) the NATing is what is allowing the lo99 packets
to be routed off machine. Try reading the relevant bits of the source
code (in /usr/src/sys/netinet, probably ip_{in,out}put.c and maybe
ip_fastfwd.c), plus the relevant firewall code if you're really interested.

> To see if has some special internal limiting factor on it or
> if because the firewall does not NAT is the cause of
> non-vnet jails not being able to reach the public internet.

As I said above, this is mandatory behaviour. Even if a packet with a
loopback address was emitted by your machine, your ISP should drop it as
part of their bogon filtering. (Sadly should isn't the same as will.)

> So I created a 3rd non-vnet jail with re0 for the nic and ip address of
> and made no changes to the firewall or NAT. This jail can
> NOT reach the public internet, but can ping the other 2 local only jails
> and
> So the conclusion is that loX or has nothing to do with
> being the controlling factor between local or public non-vnet jails. The
> real controlling factor is in the jails ip address being NATed or not.
> Can this conclusion be disputed?

I'm sure you can find someone on the net to dispute with you if you
really want. :-) Personally I can't be bothered.

The firewall rules also have an effect on routing (duh!), but as you've
not said which firewall you're using I can't address that. However, by
putting all jails you want not to access the outside world on their own
lo interface with their own subnet means you could simply firewall that
interface from talking to the outside which is nice and simple.

The approach I'm using these days is to use IPv6 for almost everything
that's purely in house, and avoid NAT like the horrible hack it is. If
you want a set of jails to only be able to speak to each other and the
host then using a cloned lo interface and pure link local addresses is
nice and simple and doesn't involve a firewall at all.

The number of people predicting the demise of Moore's Law doubles
every 18 months.

More information about the freebsd-questions mailing list