From owner-freebsd-questions@freebsd.org Wed Aug 17 01:04:56 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5C325BBADA9; Wed, 17 Aug 2016 01:04:56 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it0-x241.google.com (mail-it0-x241.google.com [IPv6:2607:f8b0:4001:c0b::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2036D1BDA; Wed, 17 Aug 2016 01:04:56 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it0-x241.google.com with SMTP id d65so7261917ith.0; Tue, 16 Aug 2016 18:04:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=6J23ODX6DWeeQfBnwHuUoUXppHyCs6ZEqOcdZL2i/qU=; b=iPIBry5YIqacCEvXpRrM053Js2A+BGFvsOXd93svAG3jwzvRdEp9RB9x524mlMl8An cEmXToYrrynP5FtdBhkZca5+7cHX6nUElVRYfhnAnONiX7aCuF4CbfFRyrA73my/mNPT Y85Z276fS8fsHBmJnCHj5ayVtt9zc+97HLnhCe92qkM8WoXZgMuQth4mXyTQXneC2WUL rFKUud6Bz4CMDGmuxm/ejpURRTcuJrqnWbQGihtRQfdafDfmD6y/pFCr7RGfl1h0wNWG lsROdEaQtqywn6q6DIQLp8uw5YEOUDOQZHx9McEdieg5BZ/cMNdQngyXPmAlljauz2Dw hj5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=6J23ODX6DWeeQfBnwHuUoUXppHyCs6ZEqOcdZL2i/qU=; b=fRei3rKc4vT8FoGe5NeuLX0dGkH/x3CH4Ism3+OOAGN2T08h58sobq7UiYc2xBiqi2 yMR5uJhsiak1lVcr1GWqMQqOBm+HN2sJSZellK4zBCCiOWVjwBEHe4wUupX344HRrBjS mvulKXgMeb/Cv9DmdNLKGRZpvRBV0AUJ71TzNC+2y82TLzZX/r/6a3tHJWOU+EyCJEyJ LAsFxTMUUi+GeDKgSdlhe7KofAzXKZeKGmz2O6hjBmB/omKphLDuKTDvdtf8SvNXiWXu P6uaHNIvqrkE8FPtmUjMY7izzWIM6lcn6GT9/ICnEWceY6dGzCsyBfalA3J5P6uoBw4Y CFdA== X-Gm-Message-State: AEkoout/4+UTk4be24Rv+v3KuDQlu3x4e0pZlo7kvgU4QZ2nOd29w68NemH6fsGY1mDuOg== X-Received: by 10.36.44.209 with SMTP id i200mr14492978iti.91.1471395895449; Tue, 16 Aug 2016 18:04:55 -0700 (PDT) Received: from [10.0.10.3] (cpe-24-165-196-54.neo.res.rr.com. [24.165.196.54]) by smtp.googlemail.com with ESMTPSA id i191sm10794791itf.13.2016.08.16.18.04.54 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 16 Aug 2016 18:04:55 -0700 (PDT) Message-ID: <57B3B858.4000707@gmail.com> Date: Tue, 16 Aug 2016 21:05:28 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "Bjoern A. Zeeb" CC: CyberLeo Kitsana , "freebsd-jail@freebsd.org" , Freebsd Questions , krad , James Gritton Subject: Re: testing 11.0-RC1 vnet jails with ipfilter References: <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> <57B375C6.9030500@gmail.com> <89E52542-8E6B-4BA6-921E-E939A3F3A038@lists.zabbadoz.net> In-Reply-To: <89E52542-8E6B-4BA6-921E-E939A3F3A038@lists.zabbadoz.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Wed, 17 Aug 2016 01:17:23 +0000 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2016 01:04:56 -0000 Bjoern A. Zeeb wrote: > On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote: > >> On 08/16/2016 03:21 PM, Ernie Luzar wrote: >> >>> Issuing "ipf -FS -Fa" command from within the vnet jail gives this >>> message, "open device:no such file or directory. User kernel version >>> check failed. >> >> According to ipf(8), the ipfilter utilities touch /dev/ipauth , /dev/ipl >> , and /dev/ipstate . Have you checked that the devfs ruleset applied to >> your jail has those unhidden? >> >>> Issuing "ipfstat -hnio command from within the vnet jail gives this >>> message, open(IPSTATE_NAME):no such file or directory. >> >> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be a >> bad idea. > > /dev/kmem is a bad idea; I should go and check what it is using it for > and if needed we should fix that. > > > I guess the general thing is that we might want to create another > default set of devfs rules which include additional nodes we now > consider safe inside VNET jails; the jail.conf still needs to know the > right ruleset to apply, so the jail.conf would need to specify the other > devfs_ruleset=“..” for vnet jails. Maybe Jamie could then come up with > an intelligent solution that would automatically flip things if option > vnet is set? I guess jail.conf(5) will need more examples for these > things as well. > > > /bz > If thats the road you are thinking of going down, then we have to look at the big picture. Is another rule set say number 5 that includes rule set number 4 plus the nodes for ipfilter, pf, and ipfw. Or maybe a separate rule set for each firewall which is more secure. There is no way jail(8) could know which firewall if any was going to be run in the vnet jail to select the correct rule if there were separate rules for each firewall. A combined rule set containing everything needed for all 3 firewalls would be something jail(8) could auto default to if vnet option was coded. In light of 11.0 release being published soon there should be something posted to the release notes talking about this with sample code for a combined rule #5. This would give vnet users a copy & paste solution to use until jail(8) gets updated in 11.1. I tried this rule set in /etc/devfs.rules [devfsrules_jail=5] add include $devfsrules_jail add path /dev/ipl unhide add path /dev/ipauth unhide add path /dev/ipstate unhide Boot time get error message that this was invalid. If I could get a correct syntax combined rule #5 file, I could continue testing all 3 firewalls using 11.0-RC1. Your help would be greatly appreciated.