how to make a non-vnet jail local only?

[Shane Ambler]

On 6/8/20 1:39 am, Arthur Chance wrote:
> On 05/08/2020 15:17, Ernie Luzar wrote:
>> Arthur Chance wrote:
>>> On 05/08/2020 02:02, Ernie Luzar wrote:
>>>> I have non-vnet jails working that can reach the public internet.
>>>> But now I would like to make some local only non-vnet jails that can
>>>> only access other local only non-vnet jails. BY local meaning have no
>>>> access to the public internet.
>>>>
>>>> How do I make this happen?
>>>>
>>>> Thanks for any pointers.
>>>
>>> Create a second loopback interface (cloned_interfaces="lo1" in
>>> /etc/rc.conf or ifconfig lo1 create for manual control) and put the
>>> local jails on lo1 without access to any other interface.
>>>
>>
>> I tested this already and it doesn't work.
>>
>> non-vnet jail with lo99 for the nic and ip address of 10.0.28.5 can
>> still reach the public internet.

Do you have bridging or routing enabled?

Routing can receive foreign packets on an interface and route them to a
different interface.

Bridging connects interfaces, sending the same packets on each.


While I don't have jails setup, I use sysutils/vm-bhyve for bhyve
instances. I have two "vm switches" which are bridge interfaces
connecting bhyve instances with physical interfaces, one bridges with
wlan0 and allows a vm to get internet access, the second bridges with
re0, which has no physical connection and provides no internet access to
bhyve instances, but I can ssh into it from the host.

I have -
net.link.bridge.ipfw: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 1
net.inet.ip.sourceroute: 0

-- 
FreeBSD - the place to B...Sharing Desktops

Shane Ambler