From owner-freebsd-net@FreeBSD.ORG Sat Nov 21 14:07:55 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 606FB106568F for ; Sat, 21 Nov 2009 14:07:55 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: from smtp.ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id 020CB8FC19 for ; Sat, 21 Nov 2009 14:07:54 +0000 (UTC) Received: (qmail 31491 invoked by uid 89); 21 Nov 2009 14:12:38 -0000 Received: from unknown (HELO ?IPv6:2607:f118::5?) (steve@ibctech.ca@2607:f118::5) by 2607:f118::b6 with ESMTPA; 21 Nov 2009 14:12:37 -0000 Message-ID: <4B07F445.3030206@ibctech.ca> Date: Sat, 21 Nov 2009 09:08:05 -0500 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Peter References: <02821228f8c0ffffa3084eed1ad5a624.squirrel@webmail.pknet.net> In-Reply-To: <02821228f8c0ffffa3084eed1ad5a624.squirrel@webmail.pknet.net> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: ipfw not blocking inter jail ip traffic X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 14:07:55 -0000 Peter wrote: > iH, > > Have 2 jails and I don't want them to be able to reach other. > > gulag:#ifconfig em0 > em0: flags=8843 metric 0 mtu 1500 > options=9b > ether 08:00:27:03:18:ea > inet 172.20.6.50 netmask 0xffffff00 broadcast 172.20.6.255 > inet 172.20.6.209 netmask 0xffffff00 broadcast 172.20.6.255 > inet 172.20.6.211 netmask 0xffffff00 broadcast 172.20.6.255 > > gulag:#ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 10000 deny ip from 172.20.6.209 to 172.20.6.211 > 10001 deny ip from 172.20.6.211 to 172.20.6.209 > 40000 deny ip from 172.20.6.209 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > > The two jails [.209 and .211] can still ping each other. > Even with rule 40000, the .209 jail can ping/ssh to the .211 jail, but of > course cannot ping the gateway... > If I remove rule '100' from the list, jails are no longer able to ping > each other - Although the IPs are on em0, why is the rule with lo0 letting > them pass? Because, AFAIK, traffic that stays within the box never crosses the external (ie: non-loopback) interface planes. > Does lo0 mean ALL ips assigned to server? or does it mean > loopback interface: It means loopback interface. Essentially, all traffic that originates and is destined to itself stays within the loopback. Try this: ipfw add 40000 deny all from 172.20.6.211 to 172.20.6.209 via lo0 The following would allow you block access from .211 to ANY other IP (jail) on the box (I *think* it would still permit network destined traffic): ipfw add xxxx deny all from 172.20.6.211 to me HTH, Steve