Date: Tue, 16 Aug 2016 13:47:32 +0100 From: krad <kraduk@gmail.com> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: Ernie Luzar <luzar722@gmail.com>, "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>, Freebsd Questions <FreeBSD-questions@freebsd.org> Subject: Re: testing 11.0-RC1 vnet jails with ipfilter Message-ID: <CALfReyeR_4pM6FsrFZxTbHNoC1_yd3SZW72Ze9Bo354itzEgWQ@mail.gmail.com> In-Reply-To: <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> References: <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
is ipfilter supported in vnet jails? Last time I looked and tried pf didnt work (kernel panics), and only ipfw was supported. On 15 August 2016 at 17:59, Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net> wrote: > On 15 Aug 2016, at 15:37, Ernie Luzar wrote: > > Hello list; >> >> Running 11.0-RC1 with only option vimage compiled into the generic kerne= l. >> >> I can run ipfilter on the host and start vnet jails containing no >> firewalls just fine. But when I try to also have ipfilter run in the vne= t >> jail nothing happens. I added this to the vnet jails rc.conf >> ipfilter_enable=3D"YES" >> ipfilter_rules=3D"/etc/ipf.boot.rules" >> ipmon_enable=3D"YES" >> ipmon_flags=3D"-Ds" >> >> Then start the vnet jail and its like those ipfilter statements in the >> vnet jails rc.conf are not there. The vnet jails /var/log/messages file = is >> not even there. Issuing "ipfstat" inside the running vnet jail to displa= y >> the jails ipfilter rules gives this error message "open(IPSTATE_NAME): N= o >> such file or directory" >> To me this means ipfilter is not running in the vnet jail even though I >> requested it in the vnet jails rc.conf file. >> >> So my question to this list is, has anyone managed to get ipfilter to ru= n >> inside a vnet jail using any of the 11.0 alpha, beta, or rc versions? If= so >> would you please share your setup with me? >> >> Maybe I am to close to the bleeding edge for there to be other users in >> the same test loop? >> > > > The startup script contains =E2=80=9Cnojail=E2=80=9D. I think someone o= pened a bug > report the other day but I can=E2=80=99t find it anymore; so the startup= script > won=E2=80=99t automatically run inside a jail. Can you remove that line= and try > again? > > > /bz > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe > @freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALfReyeR_4pM6FsrFZxTbHNoC1_yd3SZW72Ze9Bo354itzEgWQ>