From owner-freebsd-jail@freebsd.org Mon Jul 20 08:36:51 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D37C0375F20; Mon, 20 Jul 2020 08:36:51 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4B9FSx6854z4fXF; Mon, 20 Jul 2020 08:36:49 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from outgoing.leidinger.net (p5b165537.dip0.t-ipconnect.de [91.22.85.55]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (Client did not present a certificate) by mailgate.Leidinger.net (Postfix) with ESMTPSA id 17BADA37; Mon, 20 Jul 2020 10:36:40 +0200 (CEST) Received: from webmail.leidinger.net (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (Client did not present a certificate) by outgoing.leidinger.net (Postfix) with ESMTPS id 4EB5B16D9; Mon, 20 Jul 2020 10:36:37 +0200 (CEST) Date: Mon, 20 Jul 2020 10:36:36 +0200 Message-ID: <20200720103636.Horde.zal5m0xvlYS4M6dDZMM12RE@webmail.leidinger.net> From: Alexander Leidinger To: Ernie Luzar Cc: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org, David Mehler Subject: Re: vnet jail for local only or public access References: <5EFCD605.4000409@gmail.com> <5EFD095F.4040507@gmail.com> <5F0119F3.40806@gmail.com> <5F049E65.8000701@gmail.com> <5F0DEE4A.6080600@gmail.com> <5F0F00EB.5010403@gmail.com> <5F0F0FBC.9020200@gmail.com> <5F0F152C.3040908@gmail.com> <5F119D8F.7030407@gmail.com> <20200717152243.Horde.9H9QDqj9GtGFk_mayhRBsvs@webmail.leidinger.net> <5F120AB9.8060209@gmail.com> In-Reply-To: <5F120AB9.8060209@gmail.com> Accept-Language: de,en Content-Type: multipart/signed; boundary="=_u71ko6QTGtJryN9zvcFgMoX"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-Rspamd-Queue-Id: 4B9FSx6854z4fXF X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.48 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; NEURAL_HAM_MEDIUM(-1.04)[-1.040]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; NEURAL_HAM_LONG(-1.01)[-1.009]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; NEURAL_HAM_SHORT(-1.33)[-1.331]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE]; FREEMAIL_CC(0.00)[freebsd.org,gmail.com]; RCVD_TLS_ALL(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[91.22.85.55:received] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2020 08:36:51 -0000 This message is in MIME format and has been PGP signed. --=_u71ko6QTGtJryN9zvcFgMoX Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting Ernie Luzar (from Fri, 17 Jul 2020=20=20 16:31:53=20-0400): > Alexander Leidinger wrote: >> Quoting Ernie Luzar (from Fri, 17 Jul 2020=20=20 >>=2008:46:07 -0400): >> >>> Trying to figure out how to configure a vnet jail so it is=20=20 >>>=20restricted to only being able to talk to other vnet jails on the=20= =20 >>>=20same host IE: local only vnet jails. As different to being able to=20= =20 >>>=20access the public internet type of vnet jails. >>> >>> Using the bridge/epair method of connecting vnet jails to the host. >>> [ based on this how-to ] >>> https://forums.freebsd.org/threads/vnet-jail-with-public-internet-acces= s-using-the-bridge-epair-method.76071/ It's my understanding that this beha= vior is controlled by if the hosts interface connected to the public intern= et is added as a member to the bridge the vnet jails epairXa interfaces wer= e members=20=20 >>>=20of. >> >> Partly correct. You can also have a setup where your host is=20=20 >>=20routing between what you call the public internet and the local=20=20 >>=20only vnets. >> >>> I tested this on a remote vm and found that it made no difference=20=20 >>>=20one way or the other if the hosts interface connected to the=20=20 >>>=20public internet was added as a member to the bridge or not. In=20=20 >>>=20both cases the vnet jail had public internet access. >> >> It shouldn't, if there is no routing involved. >> >> Please show us "ifconfig -a" and "netstat -rn" of the host. >> >> Bye, >> Alexander. >> > > root >netstat -rn4 > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > default 65.25.48.1 UGS re0 > 10.0.0.0/8 link#1 U em0 > 10.0.10.2 link#1 UHS lo0 > 10.0.20.0/24 link#5 U bridge10 You have a routing table entry for the bridge on the host. > 10.0.20.2 link#5 UHS lo0 > xxx.25.48.0/20 link#2 U re0 > xxx.25.51.0 link#2 UHS lo0 > 127.0.0.1 link#3 UH lo0 > /root > > /root >ifconfig -a > bridge10: flags=3D8843 metric=20= =20 >=200 mtu 1500 > description: qjail-vnet-jail-only-bridge > ether 02:3e:ba:a7:58:0a > inet 10.0.20.2 netmask 0xffffff00 broadcast 255.255.255.0 > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > member: epair4a flags=3D143 > ifmaxaddr 0 port 6 priority 128 path cost 2000 > groups: bridge > nd6 options=3D1 Your bridge has an IP address. Both together: I suspect your host is routing between your jail and=20=20 the=20outside. If you remove the IP address from the bridge, you should have a=20=20 jails-on-the-bridge-only=20setup. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_u71ko6QTGtJryN9zvcFgMoX Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJfFVeUAAoJEBINsJsD+NiGOwcP/2sRlFimEr4u6QqAm3kDRzmw DylPgZAhV+IXXLWZ1VuQSfC1g4Dlu+SLjuaxqwDZfqby5NX68WEayHIlt9YC+OD5 XOGbC8QKIw4EneK0YVZ8hzw8Qe4552lNWunGqT7Q0KYzazKYigP6wdKL670zcmwB bp4AR0h8WlBjSHWFV5M5GnEJcbEDe8J2jumK++BBnpeU3JBttbKYMGYbLV9cTjBP RCFr1q6JuwZfqKprDwg+des5vf/pxGjAZh1IU7lRv10A9hcjs1ySpR1N6dNIxqrT g2kg2/Xrc0hQcAcbHEcbEfkbZ/JvhVLW2ZXBw2N8DGfWFSgVoExMhZGlOpG74y3l Irql4u7oUZS6EAaFCSGvu4gJXvUjJnj00qyW2VGfYaY63bfIh1jmMM58WG9xAmy7 ubKapwwtXHjJ8yk6DUPjFCLwClUwvXcJQbHPhiOThqTgDE0ss0H9UP7Far9iSnLL 8WXxxR2t+iLv3+3Gn1EBRArYQawirggAtp5iKzBQTr3goXYTi7R/Gi+ILoCKeyzH mxsrbWXI+vNOem7lOWkkINe4Cf0ObZXKXwAAaiQo/+mhdJ6KoCpFgfdtFAQXWIJT k8NXswvgZ222wFd+Q8VqkBmRN6bRaUjMFG3Xj4N4C7Cco1qFHffLS55Sv50kQvIB HrQPpmuZQ4Faoy4RMWAV =ePl0 -----END PGP SIGNATURE----- --=_u71ko6QTGtJryN9zvcFgMoX--