From owner-freebsd-pf@freebsd.org Sun Nov 5 09:37:05 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5FA12E66812 for ; Sun, 5 Nov 2017 09:37:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 48B15748F1 for ; Sun, 5 Nov 2017 09:37:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 44D57E66811; Sun, 5 Nov 2017 09:37:05 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 42902E66810 for ; Sun, 5 Nov 2017 09:37:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 26103748F0 for ; Sun, 5 Nov 2017 09:37:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vA59b43a019674 for ; Sun, 5 Nov 2017 09:37:05 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 223208] [pf] pf.conf syntax (:peer) rules load incorrectly Date: Sun, 05 Nov 2017 09:37:05 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: felix_mail@mail.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Nov 2017 09:37:05 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223208 --- Comment #6 from Felix Z. --- Kristof, can you try add IPv6 prefix before IPv4? And check this again. ifconfig tun0 create ifconfig tun0 inet6 fe80::1%tun0/64 ifconfig tun0 10.0.0.1 10.0.0.2 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Nov 7 03:48:32 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3DF7E711E4 for ; Tue, 7 Nov 2017 03:48:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id BBAAA762FB for ; Tue, 7 Nov 2017 03:48:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id BB290E711E3; Tue, 7 Nov 2017 03:48:32 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BAE4DE711E2 for ; Tue, 7 Nov 2017 03:48:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A9CE0762FA for ; Tue, 7 Nov 2017 03:48:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vA73mVJf046257 for ; Tue, 7 Nov 2017 03:48:32 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 223208] [pf] pf.conf syntax (:peer) rules load incorrectly Date: Tue, 07 Nov 2017 03:48:32 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Nov 2017 03:48:32 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223208 --- Comment #7 from Kristof Provost --- (In reply to Felix Z. from comment #6) Yes, that seems to provoke it, even on CURRENT. Hopefully I'll have the time to dig into this in a couple of days. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Nov 7 15:50:15 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6A7DE5C532 for ; Tue, 7 Nov 2017 15:50:15 +0000 (UTC) (envelope-from irukandji@voidptr.eu) Received: from voidptr.eu (voidptr.eu [193.77.148.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "voidptr.eu", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A744C7089E for ; Tue, 7 Nov 2017 15:50:15 +0000 (UTC) (envelope-from irukandji@voidptr.eu) Received: none.of.your.bussiness.com ([66.66.66.661]:1337) by dynamic-122111.voidptr.eu with esmtp Message-ID: <1510069428.4725.31.camel@voidptr.eu> Subject: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1) From: irukandji To: freebsd-pf@freebsd.org Date: Tue, 07 Nov 2017 16:43:48 +0100 Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Nov 2017 15:50:16 -0000 Hi Everyone, Problem: isolating jail away from internal network and host "hosting" it. Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0), single network card on re0 I am unable prevent jail accessing host (192.168.1.200) for any other ip it is working, i have configured VNET just to have separated stack but host is still accessible from jail. Am I missing something or this is just something that cant be accomplished using pf? I am banging my head to the wall with this issue for past few months going radical lately (kernel recompile ;) ) but still without any result. Can PLEASE someone help me out? Regards, irukandji From owner-freebsd-pf@freebsd.org Tue Nov 7 18:26:48 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 987C2E610A0 for ; Tue, 7 Nov 2017 18:26:48 +0000 (UTC) (envelope-from meka@tilda.center) Received: from mail.tilda.center (tilda.center [45.77.138.211]) by mx1.freebsd.org (Postfix) with ESMTP id 6418D7E16F for ; Tue, 7 Nov 2017 18:26:48 +0000 (UTC) (envelope-from meka@tilda.center) Received: from hal9000.meka.no-ip.org (unknown [87.116.179.153]) by mail.tilda.center (Postfix) with ESMTPSA id 7073316538; Tue, 7 Nov 2017 19:18:07 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tilda.center; s=mail; t=1510078687; bh=v+agXnF3gRBwCDdqnhArHobCsZAvAqAWHSTjPqB8jE8=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=E7nS3ouVkBoydr80Gv33XGQR2tnxU1raZTJvtIDW6Gf2cPbUQWaHpqPdDbeS+33V/ gIqEFeV8uxquTfos6a3CZX89x/3mU3UrQQFsJOBkiho90jb1HQnA1VQWWPOG5PZbvy hVVbBjkiJLhDJ5PygYxy7MaaoXBm7Mi7SfHzSleo= Date: Tue, 7 Nov 2017 19:18:06 +0100 From: Goran =?utf-8?B?TWVracSH?= To: irukandji Cc: freebsd-pf@freebsd.org Subject: Re: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1) Message-ID: <20171107181806.dus6nizw3n4flr73@hal9000.meka.no-ip.org> References: <1510069428.4725.31.camel@voidptr.eu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="whliyqfl7jbg5ktj" Content-Disposition: inline In-Reply-To: <1510069428.4725.31.camel@voidptr.eu> User-Agent: NeoMutt/20171027 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Nov 2017 18:26:48 -0000 --whliyqfl7jbg5ktj Content-Type: text/plain; charset=utf-8 Content-Disposition: inline On Tue, Nov 07, 2017 at 04:43:48PM +0100, irukandji via freebsd-pf wrote: > Hi Everyone, > > Problem: isolating jail away from internal network and host "hosting" > it. > Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE > enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0), > single network card on re0 > > I am unable prevent jail accessing host (192.168.1.200) for any other > ip it is working, i have configured VNET just to have separated stack > but host is still accessible from jail. > > Am I missing something or this is just something that cant be > accomplished using pf? I am banging my head to the wall with this issue > for past few months going radical lately (kernel recompile ;) ) > but still without any result. > > Can PLEASE someone help me out? > > Regards, > irukandji I am not sure I understand the use case. Sounds to me like you would like to be hosting provider where bare metal machine is hosting other people's jails, and you don't want those people being able to access underlaying machine. Also, when you say "jail accessing host", does that mean over SSH or something else? --whliyqfl7jbg5ktj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAloB+NsACgkQWj1Tknov rLZPEhAAgU+PKkDOqwS59bZFAmN7HyoODyuy7zS7rJCFRI1nzlU2MZ107Uu6CEs9 S1kcIjmmEgAVwsgx65wa6dgoXMAQh0c3P5ROVjXsw4tnmgAIxQ93hJKBV2A0xAvq nn/XKyqQ68HLRiFP35oqcr+UCMvGqcg+GBMsBh2fzyLS8LWnQuMCbQK18frfKxtV 1HsQr2tlgXJYPbZiY1MgqTwVPvbl/H4ehZU+2uBGjdykhizrmTTa4+Ha3NCVs7YR p9m/DpHVHaaiSha8IIl8B9BvhpJqz8MOOujVNFDRbaYMitsSuhD849mndICGCl36 lTA35yARb+7nk894o9dqWFiaoFkiL5oWfVBElxJgcCkYnQTCH2EkIYiDcWsJdkPI JMeetlMljn+fdc+x9zXKa4w7gKLmk+6pQJdVH8/WyL2nZ/RzjyFKeU8xFTvocGci 55VscBdN6UC7rrCiBy3rJ+rwDllfLE0ggNYpv0iiia+BGsztACXsZhi4UeYV+tBV crYZm6vQ1GgmVgTyk6k1+dHaJHiXm9Rpsh47Bc1WRIc5kk2ei0wD8xG5ZXxkJWnA reG/pDnmla5qeR4H7te2bO0K15vY7VpRWfczvaEQcy+0vpl7mCs0NYFTqNZvVk2+ 2fS9Fj3cC7ISQ3aM7dg7ZMhOWNT+JvXp3B6vlr3cJn1TwEQaxLQ= =eLgb -----END PGP SIGNATURE----- --whliyqfl7jbg5ktj-- From owner-freebsd-pf@freebsd.org Wed Nov 8 08:37:57 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43AC7E715D4 for ; Wed, 8 Nov 2017 08:37:57 +0000 (UTC) (envelope-from irukandji@voidptr.eu) Received: from voidptr.eu (voidptr.eu [193.77.148.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "voidptr.eu", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BF487707F2 for ; Wed, 8 Nov 2017 08:37:56 +0000 (UTC) (envelope-from irukandji@voidptr.eu) Received: none.of.your.bussiness.com ([66.66.66.661]:1337) by dynamic-122111.voidptr.eu with esmtp Message-ID: <1510130272.4903.8.camel@voidptr.eu> Subject: Re: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1) From: irukandji To: Goran =?UTF-8?Q?Meki=C4=87?= Cc: freebsd-pf@freebsd.org Date: Wed, 08 Nov 2017 09:37:52 +0100 In-Reply-To: <20171107181806.dus6nizw3n4flr73@hal9000.meka.no-ip.org> References: <1510069428.4725.31.camel@voidptr.eu> <20171107181806.dus6nizw3n4flr73@hal9000.meka.no-ip.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2017 08:37:57 -0000 The use case is to completely isolate jail from the environment for running a honeypot, i can pf filter the traffic coming from jail to the internal network but the freebsd server that is running the jails (here as "host"), can be accessed from jail using its ip. I have tried various methods of configuring jails / pf finally even recompiling the kernel for vimage/vnet support but the problem stays. If i execute tcpdump -i vnet0:3 i can see the traffic flowing from jail ip to host but once i set up rule for blocking it, like: block quick on vnet0:3 all ...it doesnt work, the traffic passes as there would be no pf. I am missing something but i have no clue what... Thank you. On tor, 2017-11-07 at 19:18 +0100, Goran Mekić wrote: > > On Tue, Nov 07, 2017 at 04:43:48PM +0100, irukandji via freebsd-pf wrote: > > Hi Everyone, > > > > > > Problem: isolating jail away from internal network and host "hosting" > > it. > > Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE > > enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0), > > single network card on re0 > > > > > > I am unable prevent jail accessing host (192.168.1.200) for any other > > > > ip it is working, i have configured VNET just to have separated stack > > but host is still accessible from jail. > > > > Am I missing something or this is just something that cant be > > > > accomplished using pf? I am banging my head to the wall with this issue > > for past few months going radical lately (kernel recompile ;) ) > > but still without any result. > > > > Can PLEASE someone help me out? > > > > Regards, > > irukandji > > > > > > I am not sure I understand the use case. Sounds to me like you would like to be hosting provider where bare metal machine is hosting other people's jails, and you don't want those people being able to access underlaying machine. Also, when you say "jail accessing host", does that mean over SSH or something else? From owner-freebsd-pf@freebsd.org Wed Nov 8 14:39:32 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3EE45E553AE for ; Wed, 8 Nov 2017 14:39:32 +0000 (UTC) (envelope-from srs0=f2y3=cg=sigsegv.be=kristof@codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 07EA17D348 for ; Wed, 8 Nov 2017 14:39:31 +0000 (UTC) (envelope-from srs0=f2y3=cg=sigsegv.be=kristof@codepro.be) Received: from [192.168.228.1] (118-163-21-186.HINET-IP.hinet.net [118.163.21.186]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 9C4A751644; Wed, 8 Nov 2017 15:39:28 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1510151969; bh=LVUenZOqmltZ6rRUPowEffTqywOe48Cz9w9PabWgFpA=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=XOb0seCpJWTD7JTUDTrbd/Y04NUr70uc8QFeSSK3TMjKOLtjd+pn76k2BPWWTIrb7 gokmfoFtXBSYCQ/bBnppr+bXFFtYOYLZ6iUzGiktcuRAfPchetBaIaQLSpmzBZ3n3L 6C9x0gCM7zFo7UPnVFJzOqg9Jsc/WGbuu1X8umno= From: "Kristof Provost" To: irukandji Cc: freebsd-pf@freebsd.org Subject: Re: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1) Date: Wed, 08 Nov 2017 22:39:23 +0800 Message-ID: <1AEA24B8-6A9B-41E0-9109-A79A66036DBB@sigsegv.be> In-Reply-To: <1510069428.4725.31.camel@voidptr.eu> References: <1510069428.4725.31.camel@voidptr.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6093) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2017 14:39:32 -0000 On 7 Nov 2017, at 23:43, irukandji via freebsd-pf wrote: > Hi Everyone, > > Problem: isolating jail away from internal network and host "hosting" > it. > Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE > enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0), > single network card on re0 > Can you show how you’ve started the jail and configured the network setup? Are you running a vnet jail? > I am unable prevent jail accessing host (192.168.1.200) for any other > ip it is working, i have configured VNET just to have separated stack > but host is still accessible from jail. > What pf rules do you have? > Am I missing something or this is just something that cant be > accomplished using pf? I am banging my head to the wall with this issue > for past few months going radical lately (kernel recompile ;) ) > but still without any result. > It should be possible to do this, but there’s a lot of ways to set this up. Also bear in mind that VIMAGE was experimental in 11.1. There are several important bugs that are not fixed in 11.1 (but are fixed in CURRENT), especially in combination with pf. Regards, Kristof From owner-freebsd-pf@freebsd.org Thu Nov 9 05:28:39 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D5A10E6AD93 for ; Thu, 9 Nov 2017 05:28:39 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9B0FF7801D for ; Thu, 9 Nov 2017 05:28:39 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: by mail-io0-x22e.google.com with SMTP id e89so8492546ioi.11 for ; Wed, 08 Nov 2017 21:28:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ftokwSK5kgMhYbOLHbsN/pfNd6ISNFpGVEidC0dhA8w=; b=iX62ylzcZ8Sy6Sfx6WFsbm65lyKEctBpzo3CQ8L2gxVneHBHTOQp/+yQI3A6+cbyvP Wsot0/co0vONTU+h95dLQHClCYzux4f82Cw0DtE/oOcNDZ5PZwvpIZPxzI3PzvNrOx2F 7W1jOc6B1rnHtGplQ1BPgPcQJTvC56NMkQxmIYerCUIDtZT3MBhhZZ5+PaF5fpZtKTNp qyvZTdiijuuu/o3LVWCyycmhgoPqlXcLziONW3W10IjCQGemOjm7ZhIP0c0QrPP9Sag2 iX/73VwnfwMOKpHLbruO16Xtj9xIKp9HilOmXZe5S8GoK9+M4Db6J0UeAyseVxcPOcKX FT3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ftokwSK5kgMhYbOLHbsN/pfNd6ISNFpGVEidC0dhA8w=; b=nRFZnEuO3T4UJpB4kSMiBzvK5AnNwzb4UemOl4y6RLHLpUSHMUuVluHJQVue7zA4Im tP7OaBcVoIo0Lyzi2azEx66fACCImzbocR9LLH5okTJc8FKgrxKh68cg0llxfYuh3pT8 ayN9QwK3d9M3G6mktG2RHdm1OMUM3c+dfLyVwYJm9XynJdXZ/lEYOJgRdQyPER4au/Fq iqqIpH3IZdLtNJMlMRCmpRZhl+5OOObfWFzrTXx29bzOwhPqdDgklYJ/YMx0sG0Ya1Qp hUEzGLYHgYYJOSIYqC90ZLoWK97dLFesnFD0p1fJiZTpO8h6544i8SHUETJ2VPTkwGT5 T5Yg== X-Gm-Message-State: AJaThX7k9FdwrGZNDrXMIjGdrkQr5Bkhh6ewwMV8J3n4JPWjX++JFoKQ aTg6K5NR2vp363RkbNNJnuIDPUw5b4MOc8tFgQkG2Q== X-Google-Smtp-Source: ABhQp+QG7G7z8CUxWD6hily8mbvg4RGF14tRsz2JD13SQ34DGwU87i4ic8HRznFXsUplhkih/8HF3NKlKjjf6aqDIh4= X-Received: by 10.107.201.5 with SMTP id z5mr3568373iof.139.1510205318728; Wed, 08 Nov 2017 21:28:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.161.87 with HTTP; Wed, 8 Nov 2017 21:28:37 -0800 (PST) Received: by 10.2.161.87 with HTTP; Wed, 8 Nov 2017 21:28:37 -0800 (PST) In-Reply-To: <1AEA24B8-6A9B-41E0-9109-A79A66036DBB@sigsegv.be> References: <1510069428.4725.31.camel@voidptr.eu> <1AEA24B8-6A9B-41E0-9109-A79A66036DBB@sigsegv.be> From: Sami Halabi Date: Thu, 9 Nov 2017 07:28:37 +0200 Message-ID: Subject: Re: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1) To: Kristof Provost Cc: irukandji , freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2017 05:28:39 -0000 Hi, To completly isolate specific jail come to my mind the following solution: 1. use vimage. 2. setup 1 broker jail - that jail will have ipfw (or pf if but i recall it have several bugs and kerbel panics ) with nat, will have 2 nics of 2 different epairs, one to the host and other to the isolated jail aka 'private lan'. you should nat all traffic from the nic with the isolated jail to the world, and block access to your own networks all restrictions you want. 3. setup your jail with the epair nic from the broker 'lan' jail. just an idea. Sami =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 8 =D7=91=D7=A0=D7=95=D7=91=D7=B3 2017 = 04:39 PM,=E2=80=8F "Kristof Provost" =D7=9B=D7=AA=D7= =91: > On 7 Nov 2017, at 23:43, irukandji via freebsd-pf wrote: > > Hi Everyone, > > > > Problem: isolating jail away from internal network and host "hosting" > > it. > > Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE > > enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0), > > single network card on re0 > > > Can you show how you=E2=80=99ve started the jail and configured the netwo= rk setup? > Are you running a vnet jail? > > > I am unable prevent jail accessing host (192.168.1.200) for any other > > ip it is working, i have configured VNET just to have separated stack > > but host is still accessible from jail. > > > What pf rules do you have? > > > Am I missing something or this is just something that cant be > > accomplished using pf? I am banging my head to the wall with this issue > > for past few months going radical lately (kernel recompile ;) ) > > but still without any result. > > > It should be possible to do this, but there=E2=80=99s a lot of ways to se= t this up. > > Also bear in mind that VIMAGE was experimental in 11.1. There are several > important bugs that are not fixed in 11.1 (but are fixed in CURRENT), > especially in combination with pf. > > Regards, > Kristof > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"