From owner-freebsd-jail@freebsd.org Mon Dec 5 00:31:22 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5173C67CD5 for ; Mon, 5 Dec 2016 00:31:22 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id A400611E for ; Mon, 5 Dec 2016 00:31:22 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id A35BBC67CD4; Mon, 5 Dec 2016 00:31:22 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A30C4C67CD3 for ; Mon, 5 Dec 2016 00:31:22 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-pg0-x241.google.com (mail-pg0-x241.google.com [IPv6:2607:f8b0:400e:c05::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 74D4B11B for ; Mon, 5 Dec 2016 00:31:22 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-pg0-x241.google.com with SMTP id 3so14595477pgd.0 for ; Sun, 04 Dec 2016 16:31:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=K05N0dyntNQeIolrdiwys39+f5fIR7lwic2DPrvHp5Q=; b=BC6oTAjJK7M+VLt6Kz7cYCGVePcuyVmlBR7FQr3Bc8Cmzq5F7Ec2H+hMxbOzagL8Mw t83F9WdKAWmd+jO24EXVl5dDIjSj1ZVxNYN+d5asOzWZemAVIUZRlH/gsvRlLGpW4r0Z Wi1+5mgra/s2vrKmsl5T8KTU5DNP0jq1AvaMePcoGDbCyAKHYi+9YQGdhFH+eBoTHJdM Ku4trICHjEUn23062RKOVCep1YafwJtnK3f8OHVYnP8WKHvktUVkBevJI4RyzqdTJJJg wXHsjfe+YKuYPruMi1Wcu3ee4CjumjKRabwaP7KmC+oeejrfyVy3XlmGxStSN17Ley1N fAtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=K05N0dyntNQeIolrdiwys39+f5fIR7lwic2DPrvHp5Q=; b=buWp4OuRz9XC96ijEt/OwbnAa8yMptalYnYTSyoSiY3NqbvmcP84PKWplSIXg7ZrEN c2Mutve6U30+RjH/3Yx7pfISBftHHv8dFAp5nFNesFe1W/GIDJ7wID/wxOg0tI5hAFAc FRIFpelR70GCDyeyVzW237LEnSFVY7iOkDGQNUEwu5vJu0igX1SctR1r7DdnYBlLNPOY nFZH7Ts0oksip8K+h0iPDdBLqgILRis3+G2lQRARcIm873JnES6a3BYEAxP6Nu3e1QLB ojNzYPs7WBrQZ3kyMuxfsTKIw+EPfXTbFxaMPpKVxxgIfzsYE8cKAWkAUyX//AkbDeYZ sfbQ== X-Gm-Message-State: AKaTC00v2vqkhZZt4zuZnZLyZ6iXu3BoMKLZdCRAmLZ/0TE+qgAf6NzRUB5N+1bzEkPOyA== X-Received: by 10.98.69.133 with SMTP id n5mr55403273pfi.160.1480897882148; Sun, 04 Dec 2016 16:31:22 -0800 (PST) Received: from [192.168.1.103] ([120.29.76.121]) by smtp.googlemail.com with ESMTPSA id a7sm22367714pfl.87.2016.12.04.16.31.20 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 04 Dec 2016 16:31:21 -0800 (PST) Message-ID: <5844B557.7050304@gmail.com> Date: Mon, 05 Dec 2016 08:31:19 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: marcel CC: jail@freebsd.org Subject: Re: Closing ports in jail with ipfw References: <20161117233607.3430afd4@marcel-laptop.lan> In-Reply-To: <20161117233607.3430afd4@marcel-laptop.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2016 00:31:22 -0000 marcel wrote: > Hi there, > > I've created a jail and when I do a nmap on his IP, I can see that port > 25 and 22 are open but I don't want. So i've tried to create an IPFW > rule by adding 'ipwf -q add 00290 deny all from router to jail' to my > host ipfw conf file and applied it but ports jail are still open. How > can I close or open the ports of my jail ? > > Thanks ! You can not run nmap on the host targeting the jails ip. Doing so only shows you open ports on the host. You have to run nmap from a computer on a different public ip address targeting the public ip address assigned to the jail. If jail is using a non-routeable ip address, nmap is useless in looking for jail open ports.