Date: Thu, 1 Jan 2009 21:50:04 GMT From: Remko Lodder <remko@elvandar.org> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/130102: 'pfctl -d' from inside a jail disables pf on the jail host Message-ID: <200901012150.n01Lo4Sx022286@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/130102; it has been noted by GNATS. From: Remko Lodder <remko@elvandar.org> To: Stefan Hegnauer <stefan.hegnauer@gmx.ch> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/130102: 'pfctl -d' from inside a jail disables pf on the jail host Date: Thu, 1 Jan 2009 22:49:11 +0100 >> > FreeBSD jailhost.x.y.z 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #9: Wed > Dec 31 09:05:43 CET 2008 root@jailhost.x.y.z:/usr/obj/usr/src/ > sys/IBMT20 i386 >> Description: > I have a jail host (192.168.1.10) with two jails running, webjail > (192.168.1.80) and mailjail (192.168.1.25). The host uses pf for > some additional protection on the single network interface facing my > DMZ router, with rules for the two jailed hosts. So far everything > seems to work as intended. > The setup of the jails is according to the descriptions in the > jail(8) manual page with no deviations. > > If I use pfctl(8) as root in one of the jails it is possible to > control pf(4) that runs on the host. For example I can disable pf on > the host altogether using 'pfctl -d', or re-enable it again with > 'pfctl -e', or load a different ruleset with 'pfctl -f <rulefile>' > etc. > It seems that pfctl easily gets out of the jail which I did not > expect, and I did also not find any reference of this behaviour in > the handbook, the FAQ, the PR database or anywhere else on the net >> How-To-Repeat: > - have enabled in the kernel (device pf, device pflog) > - set up a jail system with at least one jail according to jail(8) > man page > - run pf on the host, load some rules and enable pf (pfctl -ef > <rule_file>) > - run 'pfctl -d' as root within a jail -> pf is disabled on the host > (pfctl -si) >> Fix: > Can you perhaps tell us more about the setup you are having with the jails? showing the devfs ruleset that is being used for the jails etc? Normally the /dev/pf node isn't visible in jails and this shouldn't happen.. Thanks, Remko -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901012150.n01Lo4Sx022286>