From owner-freebsd-pf@freebsd.org Thu Nov 9 05:28:39 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D5A10E6AD93 for ; Thu, 9 Nov 2017 05:28:39 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9B0FF7801D for ; Thu, 9 Nov 2017 05:28:39 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: by mail-io0-x22e.google.com with SMTP id e89so8492546ioi.11 for ; Wed, 08 Nov 2017 21:28:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ftokwSK5kgMhYbOLHbsN/pfNd6ISNFpGVEidC0dhA8w=; b=iX62ylzcZ8Sy6Sfx6WFsbm65lyKEctBpzo3CQ8L2gxVneHBHTOQp/+yQI3A6+cbyvP Wsot0/co0vONTU+h95dLQHClCYzux4f82Cw0DtE/oOcNDZ5PZwvpIZPxzI3PzvNrOx2F 7W1jOc6B1rnHtGplQ1BPgPcQJTvC56NMkQxmIYerCUIDtZT3MBhhZZ5+PaF5fpZtKTNp qyvZTdiijuuu/o3LVWCyycmhgoPqlXcLziONW3W10IjCQGemOjm7ZhIP0c0QrPP9Sag2 iX/73VwnfwMOKpHLbruO16Xtj9xIKp9HilOmXZe5S8GoK9+M4Db6J0UeAyseVxcPOcKX FT3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ftokwSK5kgMhYbOLHbsN/pfNd6ISNFpGVEidC0dhA8w=; b=nRFZnEuO3T4UJpB4kSMiBzvK5AnNwzb4UemOl4y6RLHLpUSHMUuVluHJQVue7zA4Im tP7OaBcVoIo0Lyzi2azEx66fACCImzbocR9LLH5okTJc8FKgrxKh68cg0llxfYuh3pT8 ayN9QwK3d9M3G6mktG2RHdm1OMUM3c+dfLyVwYJm9XynJdXZ/lEYOJgRdQyPER4au/Fq iqqIpH3IZdLtNJMlMRCmpRZhl+5OOObfWFzrTXx29bzOwhPqdDgklYJ/YMx0sG0Ya1Qp hUEzGLYHgYYJOSIYqC90ZLoWK97dLFesnFD0p1fJiZTpO8h6544i8SHUETJ2VPTkwGT5 T5Yg== X-Gm-Message-State: AJaThX7k9FdwrGZNDrXMIjGdrkQr5Bkhh6ewwMV8J3n4JPWjX++JFoKQ aTg6K5NR2vp363RkbNNJnuIDPUw5b4MOc8tFgQkG2Q== X-Google-Smtp-Source: ABhQp+QG7G7z8CUxWD6hily8mbvg4RGF14tRsz2JD13SQ34DGwU87i4ic8HRznFXsUplhkih/8HF3NKlKjjf6aqDIh4= X-Received: by 10.107.201.5 with SMTP id z5mr3568373iof.139.1510205318728; Wed, 08 Nov 2017 21:28:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.161.87 with HTTP; Wed, 8 Nov 2017 21:28:37 -0800 (PST) Received: by 10.2.161.87 with HTTP; Wed, 8 Nov 2017 21:28:37 -0800 (PST) In-Reply-To: <1AEA24B8-6A9B-41E0-9109-A79A66036DBB@sigsegv.be> References: <1510069428.4725.31.camel@voidptr.eu> <1AEA24B8-6A9B-41E0-9109-A79A66036DBB@sigsegv.be> From: Sami Halabi Date: Thu, 9 Nov 2017 07:28:37 +0200 Message-ID: Subject: Re: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1) To: Kristof Provost Cc: irukandji , freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2017 05:28:39 -0000 Hi, To completly isolate specific jail come to my mind the following solution: 1. use vimage. 2. setup 1 broker jail - that jail will have ipfw (or pf if but i recall it have several bugs and kerbel panics ) with nat, will have 2 nics of 2 different epairs, one to the host and other to the isolated jail aka 'private lan'. you should nat all traffic from the nic with the isolated jail to the world, and block access to your own networks all restrictions you want. 3. setup your jail with the epair nic from the broker 'lan' jail. just an idea. Sami =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 8 =D7=91=D7=A0=D7=95=D7=91=D7=B3 2017 = 04:39 PM,=E2=80=8F "Kristof Provost" =D7=9B=D7=AA=D7= =91: > On 7 Nov 2017, at 23:43, irukandji via freebsd-pf wrote: > > Hi Everyone, > > > > Problem: isolating jail away from internal network and host "hosting" > > it. > > Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE > > enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0), > > single network card on re0 > > > Can you show how you=E2=80=99ve started the jail and configured the netwo= rk setup? > Are you running a vnet jail? > > > I am unable prevent jail accessing host (192.168.1.200) for any other > > ip it is working, i have configured VNET just to have separated stack > > but host is still accessible from jail. > > > What pf rules do you have? > > > Am I missing something or this is just something that cant be > > accomplished using pf? I am banging my head to the wall with this issue > > for past few months going radical lately (kernel recompile ;) ) > > but still without any result. > > > It should be possible to do this, but there=E2=80=99s a lot of ways to se= t this up. > > Also bear in mind that VIMAGE was experimental in 11.1. There are several > important bugs that are not fixed in 11.1 (but are fixed in CURRENT), > especially in combination with pf. > > Regards, > Kristof > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"