From owner-freebsd-net@freebsd.org  Sun Jun 26 10:02:42 2016
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 64C13A7905E
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sun, 26 Jun 2016 10:02:42 +0000 (UTC)
 (envelope-from org.freebsd.security@io7m.com)
Received: from jackal.cherry.relay.mailchannels.net
 (jackal.cherry.relay.mailchannels.net [23.83.223.95])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5C39A1E1B;
 Sun, 26 Jun 2016 10:02:38 +0000 (UTC)
 (envelope-from org.freebsd.security@io7m.com)
X-Sender-Id: _forwarded-from|212.69.61.187
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id 427CA123370;
 Sun, 26 Jun 2016 09:45:28 +0000 (UTC)
Received: from bs3-dallas.accountservergroup.com
 (ip-10-213-14-133.us-west-2.compute.internal [10.213.14.133])
 by relay.mailchannels.net (Postfix) with ESMTPA id B04B71237E3;
 Sun, 26 Jun 2016 09:45:27 +0000 (UTC)
X-Sender-Id: _forwarded-from|212.69.61.187
Received: from bs3-dallas.accountservergroup.com
 (bs3-dallas.accountservergroup.com [10.91.5.35])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA)
 by 0.0.0.0:2500 (trex/5.6.15); Sun, 26 Jun 2016 09:45:28 +0000
X-MC-Relay: Forwarding
X-MailChannels-SenderId: _forwarded-from|212.69.61.187
X-MailChannels-Auth-Id: wwwh
X-MC-Loop-Signature: 1466934327949:3781415982
X-MC-Ingress-Time: 1466934327949
Received: from cust187-dsl61.idnet.net ([212.69.61.187]:62760
 helo=copperhead.int.arc7.info)
 by bs3-dallas.accountservergroup.com with esmtps (TLSv1:AES256-SHA:256)
 (Exim 4.87) (envelope-from <org.freebsd.security@io7m.com>)
 id 1bH6d4-000Gd5-Qs; Sun, 26 Jun 2016 04:45:26 -0500
Date: Sun, 26 Jun 2016 09:45:25 +0000
From: <org.freebsd.security@io7m.com>
To: freebsd-net@freebsd.org
Cc: Alan Somers <asomers@freebsd.org>
Subject: Re: Filtering outbound traffic for private address jails?
Message-ID: <20160626094525.0d8254aa@copperhead.int.arc7.info>
In-Reply-To: <CAOtMX2gHpw-WKtFQdXcPEOc4W+rBjW4WDgfZuS2kefjUXmfvFA@mail.gmail.com>
References: <20160625220137.1ed8de16@copperhead.int.arc7.info>
 <CAOtMX2gHpw-WKtFQdXcPEOc4W+rBjW4WDgfZuS2kefjUXmfvFA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-PopBeforeSMTPSenders: io.github.lmax-exchange@io7m.com,
 com.the-blueprints@io7m.com, com.dropbox@io7m.com, com.rockstargames@io7m.com,
 org.openjdk@io7m.com, com.git-scm@io7m.com, com.bugsnag@io7m.com,
 com.jetbrains@io7m.com, com.apple@io7m.com, org.readium@io7m.com,
 com.google@io7m.com, com.slack@io7m.com, android-developers@io7m.com,
 com.skype@io7m.com, com.nexusmods@io7m.com, com.carpediemkravmaga@io7m.com,
 com.myfitnesspal@io7m.com, com.stronglifts@io7m.com,
 uk.co.discountsupplements@io7m.com, org.khanacademy@io7m.com,
 com.goodhempnutrition@io7m.com, org.freesound@io7m.com, org.mapdb@io7m.com,
 io.github.apitrace@io7m.com, org.codehaus@io7m.com, nu.xom@io7m.com,
 org.blender@io7m.com, org.jgrapht@io7m.com, org.eclipse@io7m.com,
 net.openvpn@io7m.com, org.freebsd.security@io7m.com,
 org.apache.commons@io7m.com, de.jflex.users@io7m.com,
 org.mesa3d.mesa-users@io7m.com, net.java@io7m.com, com.io7m.lists@io7m.com,
 org.codehaus.mojo@io7m.com, com.meetup@io7m.com, org.archlinux@io7m.com,
 com.steampowered@io7m.com, com.blendswap@
 io7m.com, org.opengl@io7m.com, legalandgeneral@io7m.com,
 org.freedesktop@io7m.com, org.jogamp@io7m.com, org.junit@io7m.com,
 org.apache.maven.user@io7m.com, org.sonatype@io7m.com, org.dyn4j@io7m.com,
 com.creative.opensource.openal@io7m.com, org.fossil-scm.fossil-users@io7m.com,
 github@io7m.com, code@io7m.com, contact@io7m.com, mark-ext@io7m.com,
 mark@io7m.com
X-AuthUser: 
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jun 2016 10:02:42 -0000

Hello.

On 2016-06-25T17:17:53 -0600
Alan Somers <asomers@freebsd.org> wrote:
> 
> I'm filtering outbound traffic, but I'm not using NAT on the jail
> host.  Instead, I have a dedicated router doing NAT, and my jail host
> has multiple IP addresses.  At first I tried using traditional
> shared-address jails, but the firewall rules quickly got very
> complicated, especially for dealing with IPv6 and other non-IPv4
> traffic.  So I switched to using vimage jails.  I use iocage to setup
> my jails, and pf to filter them.  A simplified version of my pf.conf
> follows:

As far as I'm aware, I cannot do this. I'm using a VPS that gives me
exactly one public IP address. If I want multiple addresses, they have
to be private addresses (on loopback, or possibly via something like
vnet) and I have to use some sort of software solution to expose them
to the outside world (and filter in/out).

> www_services = "{ http, https, 8080 }"
> host_iface = "em0"
> dmz_iface = "em1"
> www_jail_iface = "vnet0:1"
> www_ip = "192.168.0.40"
> set state-policy if-bound
> 
> scrub in
> block in all
> block out all
> 
> pass in on $host_iface
> pass out on $host_iface
> set skip on lo0
> 
> # Allow all traffic to the DMZ.  Filtering happens on individual vnet
> # interfaces
> pass in on $dmz_iface
> pass out on $dmz_iface
> 
> # Put the www jail in a DMZ.  Don't allow outgoing traffic from it except for
> # the webserver
> pass out on $www_jail_iface proto tcp to $www_ip port $www_services keep state
> # Uncomment next line to allow outbound traffice from www jail
> # pass in on $www_jail_iface

I'm not sure I fully understand. $host_iface and $dmz_iface are real
physical NICs? $www_jail_iface obviously isn't. I understand how
$dmz_iface and $www_jail_iface interact: Packets sent from the jail are
incoming on $www_jail_iface and outbound on $dmz_iface, but how is
$host_iface involved?

M