Date: Mon, 22 Aug 2016 18:52:55 -0400 From: Ernie Luzar <luzar722@gmail.com> To: Freebsd Questions <FreeBSD-questions@freebsd.org> Cc: "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org> Subject: Problem 11.0-RC1 vnet jails with ipfilter Message-ID: <57BB8247.6060907@gmail.com> In-Reply-To: <20160817072244.GO18643@e-new.0x20.net> References: <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> <CALfReyeR_4pM6FsrFZxTbHNoC1_yd3SZW72Ze9Bo354itzEgWQ@mail.gmail.com> <F610E6D1-6622-4E15-98B4-F7AD58EEA9CF@lists.zabbadoz.net> <57B375C6.9030500@gmail.com> <b640b4fa-ba88-9fde-41a0-339d9d4a897b@cyberleo.net> <89E52542-8E6B-4BA6-921E-E939A3F3A038@lists.zabbadoz.net> <57B3B858.4000707@gmail.com> <20160817072244.GO18643@e-new.0x20.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello List. I have a working setup where I am running IPF on the host and in a vnet jail at the same time. The problem is I don't think the vnet IPF rules are being enforced. To verify the vnet IPF rules are active and being enforced, I have a rule to deny outbound for port 43. Port 43 is used by the "whois" command. When I issue the "whois" command from the vnet jail console, I get whois results when it should not function. I may have overlooked something or my testing concept may be faulty, so I am requesting some other eyes to review what I am doing for a reason I am getting the results I am getting. I have run the test using a vimage kernel and a vimage/ipf kernel and get the same results. The vnet jail is using this /etc/devfs.rules rule [devfsrules_vjail_ipf=60] add include $devfsrules_jail add path ipl unhide add path ipl0 unhide add path ipf unhide add path ipauth unhide add path ipnat unhide add path ipstate unhide # used by ipstate #add path kmem unhide #add path kernel unhide and yes the "devfs rule showsets" command does show rule number 60. Issuing the ipfilter command "ipfstat -hnoi" from the host console shows these rules 0 @1 pass out quick on lo0 all 0 @2 pass out log quick on fxp0 all 0 @1 pass in quick on lo0 all 1 @2 pass in log quick on fxp0 all Issuing the ipfilter command "ipfstat -hnoi" from the started vnet jail console shows these rules 0 @1 pass out quick on lo0 all 0 @2 block out log quick on epair17b proto tcp from any to any port = nicname 0 @3 pass out log quick on epair17b all 0 @1 pass in quick on lo0 all 0 @2 pass in log quick on epair17b all There are 0 counts because the ipstate command is restricted from accessing kmem & kernel from inside of the vnet jail. But this at lease seems to indicate ipfilter is running in the vnet jail. Issuing the "ping" command from the started vnet jail console works and the hosts ipfilter log shows this [sniped to fit] fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN Issuing the "whois" command from the started vnet jail console works also, but should not work because of the block rule on port 43. The hosts ipfilter log shows this [sniped to fit] fxp0 @0:2 p 10.2.0.2,51575 -> 192.0.32.59,43 PR tcp len 20 60 -S OUT fxp0 @0:2 p 192.0.32.59,43 -> 10.2.0.2,51575 PR tcp len 20 60 -AS IN fxp0 @0:2 p 10.2.0.2,51575 -> 192.0.32.59,43 PR tcp len 20 52 -A OUT fxp0 @0:2 p 10.2.0.2,51575 -> 192.0.32.59,43 PR tcp len 20 61 -AP OUT fxp0 @0:2 p 192.0.32.59,43 -> 10.2.0.2,51575 PR tcp len 20 52 -A IN fxp0 @0:2 p 192.0.32.59,43 -> 10.2.0.2,51575 PR tcp len 20 367 -AP IN fxp0 @0:2 p 192.0.32.59,43 -> 10.2.0.2,51575 PR tcp len 20 52 -AF IN fxp0 @0:2 p 10.2.0.2,51575 -> 192.0.32.59,43 PR tcp len 20 52 -A OUT fxp0 @0:2 p 10.2.0.2,51575 -> 192.0.32.59,43 PR tcp len 20 52 -AF OUT fxp0 @0:2 p 10.2.0.2,51903 -> 199.71.0.46,43 PR tcp len 20 60 -S OUT fxp0 @0:2 p 192.0.32.59,43 -> 10.2.0.2,51575 PR tcp len 20 52 -A IN fxp0 @0:2 p 199.71.0.46,43 -> 10.2.0.2,51903 PR tcp len 20 60 -AS IN fxp0 @0:2 p 10.2.0.2,51903 -> 199.71.0.46,43 PR tcp len 20 52 -A OUT fxp0 @0:2 p 10.2.0.2,51903 -> 199.71.0.46,43 PR tcp len 20 63 -AP OUT fxp0 @0:2 p 199.71.0.46,43 -> 10.2.0.2,51903 PR tcp len 20 52 -A IN fxp0 @0:2 p 199.71.0.46,43 -> 10.2.0.2,51903 PR tcp len 20 293 -AP IN fxp0 @0:2 p 199.71.0.46,43 -> 10.2.0.2,51903 PR tcp len 20 1500 -A IN I would think that this indicates that the ipfilter rules in a vnet jail are not functioning. I can start the vnet jail without any firewall running in it and get the same results. Thanks for your help.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57BB8247.6060907>