From owner-freebsd-questions@freebsd.org Wed Aug 5 14:17:39 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5F3B23776F7; Wed, 5 Aug 2020 14:17:39 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BMDGp1VcSz4slq; Wed, 5 Aug 2020 14:17:38 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-qk1-x72b.google.com with SMTP id 77so9466476qkm.5; Wed, 05 Aug 2020 07:17:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=HMQ1s5gwHDSBqmKQ8Tf4HdQdNk2BA9ZYT9SJyi6XanI=; b=UoOkNQdFdvxVpfBNMuzkS0G7Y+xv2oAhn7sXCoqaADYLpQi8HTlHxjM3FcF3FMatkF TJOnC2Ur+5yZ1GPxqZaYVya11DaBOjx7tDKeYKVHYsVWWFS3lw5VHmtX7GOyH6BFyA3H 0fGPefX93xdCL89er1NvLg1UFlrYlIFvcQAJ+EHq5c8xelX/bmE8pXRpMe36zcAMapjg e5/cK2GwPNPlW6MFpPd9v2f8y4NunoFX+eiju+o9rPzXE5sUNIKxjVa+5zu3PUAWDWfB eeRRJfv5pIAtuTfwbc5NCRLtX6K+ve7KnJBKWrrenkGpagSNDSBw+Gxxb1j8083jFIrY xTQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=HMQ1s5gwHDSBqmKQ8Tf4HdQdNk2BA9ZYT9SJyi6XanI=; b=spS2gktWIS/qBRJDrTgV7BE814H2vkqqTrk7DNbfFcchjBkVYN3NNmbILFvtpWYWmy H2tBNv4G0YZp6aLrc0MEUhJCCt6ebEr5j83xY4WctTcH+GO2DozRBVxZmnqKcZEbJlbQ V241nwXCF0S8Qru8erBDcls/N/1ZKvS9EJhuGwCm75X/3ox4sQfGl6d0+H/HtxPZwkht fGRwiC1ooS4+uN0sghv/XgqFgaXTo1SrYZxUjaiKeOQ/ce3viIlZ6fzOAaG9d6bWpPuA wyBjD+e3xjv7Dg4lAIZpo9lD35dpKy+97RoUXNaqwSES504HCKRxaSiNj3HXZzfnp6b3 jh7A== X-Gm-Message-State: AOAM533/Y6TKfqVIudP+1XC/Sf9vqCHbnHywtD8lk18kHFgcKLux55wT 3YLrenIS/3++b1Vy655gDqR7KExM X-Google-Smtp-Source: ABdhPJzj656MtDZU4ySZ7Htu6vLUCbkzMMu06H7832tSwREbX6haHLOMP7tOqArSabdDwEO9WqBQgw== X-Received: by 2002:a37:9e09:: with SMTP id h9mr3414807qke.361.1596637057391; Wed, 05 Aug 2020 07:17:37 -0700 (PDT) Received: from [10.0.10.8] (cpe-65-25-51-0.neo.res.rr.com. [65.25.51.0]) by smtp.googlemail.com with ESMTPSA id s184sm1715842qkf.50.2020.08.05.07.17.36 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 05 Aug 2020 07:17:36 -0700 (PDT) Message-ID: <5F2ABF80.4080208@gmail.com> Date: Wed, 05 Aug 2020 10:17:36 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Arthur Chance CC: "freebsd-questions@freebsd.org" , "freebsd-jail@freebsd.org" Subject: Re: how to make a non-vnet jail local only? References: <5F2A051D.4030604@gmail.com> <77719bef-6c53-21a7-ca17-3ebac05427b9@qeng-ho.org> In-Reply-To: <77719bef-6c53-21a7-ca17-3ebac05427b9@qeng-ho.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4BMDGp1VcSz4slq X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=UoOkNQdF; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of luzar722@gmail.com designates 2607:f8b0:4864:20::72b as permitted sender) smtp.mailfrom=luzar722@gmail.com X-Spamd-Result: default: False [-2.33 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.39)[-0.389]; RECEIVED_SPAMHAUS_PBL(0.00)[65.25.51.0:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.96)[-0.962]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-0.98)[-0.983]; MIME_GOOD(-0.10)[text/plain]; SUBJECT_ENDS_QUESTION(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::72b:from]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Aug 2020 14:17:39 -0000 Arthur Chance wrote: > On 05/08/2020 02:02, Ernie Luzar wrote: >> I have non-vnet jails working that can reach the public internet. >> But now I would like to make some local only non-vnet jails that can >> only access other local only non-vnet jails. BY local meaning have no >> access to the public internet. >> >> How do I make this happen? >> >> Thanks for any pointers. > > Create a second loopback interface (cloned_interfaces="lo1" in > /etc/rc.conf or ifconfig lo1 create for manual control) and put the > local jails on lo1 without access to any other interface. > I tested this already and it doesn't work. non-vnet jail with lo99 for the nic and ip address of 10.0.28.5 can still reach the public internet. Also tested a non-vnet jail with re0 for the nic and ip address of 127.0.10.10 and it can NOT reach the public internet. Created a second non-vnet jail with re0 for the nic and ip address of 127.0.10.11 and it can NOT reach the public internet. But these 2 jails can ping each other. So the nic loX has nothing to do with limiting the non-vnet jail to local host access only. Based on the above 2 tests it looks like the 127.0.0.2 through 127.255.255.254 ip address range is the local host controlling factor. Just to cover all the bases. The host firewall allows the lo0 interface to pass without any rules. The lo99 interface has no firewall rules at all or any NAT rules for 127.0.0.0/8. 10.0.0.0/8 is the only ip address range being NATed. To see if 127.0.0.0/8 has some special internal limiting factor on it or if because the firewall does not NAT 127.0.0.0/8 is the cause of non-vnet jails not being able to reach the public internet. So I created a 3rd non-vnet jail with re0 for the nic and ip address of 192.168.10.10 and made no changes to the firewall or NAT. This jail can NOT reach the public internet, but can ping the other 2 local only jails 127.0.10.10 and 127.0.10.11. So the conclusion is that loX or 127.0.0.0/8 has nothing to do with being the controlling factor between local or public non-vnet jails. The real controlling factor is in the jails ip address being NATed or not. Can this conclusion be disputed?