From owner-freebsd-net@FreeBSD.ORG  Sat Nov 21 01:44:44 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 40ACF106566C
	for <freebsd-net@freebsd.org>; Sat, 21 Nov 2009 01:44:44 +0000 (UTC)
	(envelope-from fbsdq@peterk.org)
Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213])
	by mx1.freebsd.org (Postfix) with SMTP id DA6E58FC16
	for <freebsd-net@freebsd.org>; Sat, 21 Nov 2009 01:44:43 +0000 (UTC)
Received: (qmail 45109 invoked from network); 21 Nov 2009 01:18:02 -0000
Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213)
	by poshta.pknet.net with SMTP; 21 Nov 2009 01:18:02 -0000
Received: from 216.241.167.212
	(SquirrelMail authenticated user fbsdq@peterk.org)
	by webmail.pknet.net with HTTP; Fri, 20 Nov 2009 18:18:02 -0700 (MST)
Message-ID: <02821228f8c0ffffa3084eed1ad5a624.squirrel@webmail.pknet.net>
Date: Fri, 20 Nov 2009 18:18:02 -0700 (MST)
From: "Peter" <fbsdq@peterk.org>
To: freebsd-net@freebsd.org
User-Agent: SquirrelMail/1.4.17
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: ipfw not blocking inter jail ip traffic
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Nov 2009 01:44:44 -0000

iH,

    Have 2 jails and I don't want them to be able to reach other.

gulag:#ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:03:18:ea
        inet 172.20.6.50 netmask 0xffffff00 broadcast 172.20.6.255
        inet 172.20.6.209 netmask 0xffffff00 broadcast 172.20.6.255
        inet 172.20.6.211 netmask 0xffffff00 broadcast 172.20.6.255

gulag:#ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
10000 deny ip from 172.20.6.209 to 172.20.6.211
10001 deny ip from 172.20.6.211 to 172.20.6.209
40000 deny ip from 172.20.6.209 to any
65000 allow ip from any to any
65535 deny ip from any to any


The two jails [.209 and .211] can still ping each other.
Even with rule 40000, the .209 jail can ping/ssh to the .211 jail, but of
course cannot ping the gateway...
If I remove rule '100' from the list, jails are no longer able to ping
each other - Although the IPs are on em0, why is the rule with lo0 letting
them pass?  Does lo0 mean ALL ips assigned to server? or does it mean
loopback interface:

gulag:#ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000

]Peter[