Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 26 Jun 2016 09:45:25 +0000
From:      <org.freebsd.security@io7m.com>
To:        freebsd-net@freebsd.org
Cc:        Alan Somers <asomers@freebsd.org>
Subject:   Re: Filtering outbound traffic for private address jails?
Message-ID:  <20160626094525.0d8254aa@copperhead.int.arc7.info>
In-Reply-To: <CAOtMX2gHpw-WKtFQdXcPEOc4W%2BrBjW4WDgfZuS2kefjUXmfvFA@mail.gmail.com>
References:  <20160625220137.1ed8de16@copperhead.int.arc7.info> <CAOtMX2gHpw-WKtFQdXcPEOc4W%2BrBjW4WDgfZuS2kefjUXmfvFA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello.

On 2016-06-25T17:17:53 -0600
Alan Somers <asomers@freebsd.org> wrote:
> 
> I'm filtering outbound traffic, but I'm not using NAT on the jail
> host.  Instead, I have a dedicated router doing NAT, and my jail host
> has multiple IP addresses.  At first I tried using traditional
> shared-address jails, but the firewall rules quickly got very
> complicated, especially for dealing with IPv6 and other non-IPv4
> traffic.  So I switched to using vimage jails.  I use iocage to setup
> my jails, and pf to filter them.  A simplified version of my pf.conf
> follows:

As far as I'm aware, I cannot do this. I'm using a VPS that gives me
exactly one public IP address. If I want multiple addresses, they have
to be private addresses (on loopback, or possibly via something like
vnet) and I have to use some sort of software solution to expose them
to the outside world (and filter in/out).

> www_services = "{ http, https, 8080 }"
> host_iface = "em0"
> dmz_iface = "em1"
> www_jail_iface = "vnet0:1"
> www_ip = "192.168.0.40"
> set state-policy if-bound
> 
> scrub in
> block in all
> block out all
> 
> pass in on $host_iface
> pass out on $host_iface
> set skip on lo0
> 
> # Allow all traffic to the DMZ.  Filtering happens on individual vnet
> # interfaces
> pass in on $dmz_iface
> pass out on $dmz_iface
> 
> # Put the www jail in a DMZ.  Don't allow outgoing traffic from it except for
> # the webserver
> pass out on $www_jail_iface proto tcp to $www_ip port $www_services keep state
> # Uncomment next line to allow outbound traffice from www jail
> # pass in on $www_jail_iface

I'm not sure I fully understand. $host_iface and $dmz_iface are real
physical NICs? $www_jail_iface obviously isn't. I understand how
$dmz_iface and $www_jail_iface interact: Packets sent from the jail are
incoming on $www_jail_iface and outbound on $dmz_iface, but how is
$host_iface involved?

M

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160626094525.0d8254aa>