From owner-freebsd-pf@freebsd.org Wed Nov 8 14:39:32 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3EE45E553AE for ; Wed, 8 Nov 2017 14:39:32 +0000 (UTC) (envelope-from srs0=f2y3=cg=sigsegv.be=kristof@codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 07EA17D348 for ; Wed, 8 Nov 2017 14:39:31 +0000 (UTC) (envelope-from srs0=f2y3=cg=sigsegv.be=kristof@codepro.be) Received: from [192.168.228.1] (118-163-21-186.HINET-IP.hinet.net [118.163.21.186]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 9C4A751644; Wed, 8 Nov 2017 15:39:28 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1510151969; bh=LVUenZOqmltZ6rRUPowEffTqywOe48Cz9w9PabWgFpA=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=XOb0seCpJWTD7JTUDTrbd/Y04NUr70uc8QFeSSK3TMjKOLtjd+pn76k2BPWWTIrb7 gokmfoFtXBSYCQ/bBnppr+bXFFtYOYLZ6iUzGiktcuRAfPchetBaIaQLSpmzBZ3n3L 6C9x0gCM7zFo7UPnVFJzOqg9Jsc/WGbuu1X8umno= From: "Kristof Provost" To: irukandji Cc: freebsd-pf@freebsd.org Subject: Re: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1) Date: Wed, 08 Nov 2017 22:39:23 +0800 Message-ID: <1AEA24B8-6A9B-41E0-9109-A79A66036DBB@sigsegv.be> In-Reply-To: <1510069428.4725.31.camel@voidptr.eu> References: <1510069428.4725.31.camel@voidptr.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6093) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2017 14:39:32 -0000 On 7 Nov 2017, at 23:43, irukandji via freebsd-pf wrote: > Hi Everyone, > > Problem: isolating jail away from internal network and host "hosting" > it. > Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE > enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0), > single network card on re0 > Can you show how you’ve started the jail and configured the network setup? Are you running a vnet jail? > I am unable prevent jail accessing host (192.168.1.200) for any other > ip it is working, i have configured VNET just to have separated stack > but host is still accessible from jail. > What pf rules do you have? > Am I missing something or this is just something that cant be > accomplished using pf? I am banging my head to the wall with this issue > for past few months going radical lately (kernel recompile ;) ) > but still without any result. > It should be possible to do this, but there’s a lot of ways to set this up. Also bear in mind that VIMAGE was experimental in 11.1. There are several important bugs that are not fixed in 11.1 (but are fixed in CURRENT), especially in combination with pf. Regards, Kristof