From owner-freebsd-questions@freebsd.org  Thu Aug  6 03:48:49 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7DFC73B0738
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Thu,  6 Aug 2020 03:48:49 +0000 (UTC)
 (envelope-from FreeBSD@shaneware.biz)
Received: from ipmail03.adl2.internode.on.net (ipmail03.adl2.internode.on.net
 [150.101.137.141])
 by mx1.freebsd.org (Postfix) with ESMTP id 4BMZGl6fWzz4b2F
 for <freebsd-questions@freebsd.org>; Thu,  6 Aug 2020 03:48:47 +0000 (UTC)
 (envelope-from FreeBSD@shaneware.biz)
X-SMTP-MATCH: 0
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2D+AABefCtf/8lRAg5gGwEBAQEBAQE?=
 =?us-ascii?q?BBQEBARIBAQEDAwEBAUAHgUODBWiFFYkBhgmCEIN0mBkLATwBAgQBAYRGBAI?=
 =?us-ascii?q?CgiklOBMCEAEBBgEBAQEBBgSGVYVyAQUjMyMQCw4KAgIYDgICVwYBDAgBAYM?=
 =?us-ascii?q?igny0F4EyhVKFHoEOKokJhF6BQYE4gmk+h1SCYASbFk+aNoIBa5oCBSigAZI?=
 =?us-ascii?q?poT2BejMaIYM8TxkNnHY0ZwIGCAEBAwlXAY8wAQE?=
Received: from ppp14-2-81-201.adl-apt-pir-bras31.tpg.internode.on.net (HELO
 leader.local) ([14.2.81.201])
 by ipmail03.adl2.internode.on.net with ESMTP; 06 Aug 2020 13:18:43 +0930
Subject: Re: how to make a non-vnet jail local only?
To: Arthur Chance <freebsd@qeng-ho.org>, Ernie Luzar <luzar722@gmail.com>
Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
References: <5F2A051D.4030604@gmail.com>
 <77719bef-6c53-21a7-ca17-3ebac05427b9@qeng-ho.org>
 <5F2ABF80.4080208@gmail.com>
 <15ab4539-afaf-df6e-8c36-bf8056723999@qeng-ho.org>
From: Shane Ambler <FreeBSD@ShaneWare.Biz>
Message-ID: <c9ec293e-be65-8ac2-010e-530cedac4481@ShaneWare.Biz>
Date: Thu, 6 Aug 2020 13:18:39 +0930
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <15ab4539-afaf-df6e-8c36-bf8056723999@qeng-ho.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4BMZGl6fWzz4b2F
X-Spamd-Bar: +++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of FreeBSD@shaneware.biz has no SPF policy
 when checking 150.101.137.141) smtp.mailfrom=FreeBSD@shaneware.biz
X-Spamd-Result: default: False [3.47 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 TO_DN_SOME(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[ShaneWare.Biz]; AUTH_NA(1.00)[];
 RWL_MAILSPIKE_GOOD(0.00)[150.101.137.141:from];
 NEURAL_SPAM_MEDIUM(0.86)[0.862]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 NEURAL_HAM_SHORT(-0.02)[-0.023]; NEURAL_SPAM_LONG(0.63)[0.633];
 RCVD_IN_DNSWL_NONE(0.00)[150.101.137.141:from];
 R_SPF_NA(0.00)[no SPF record];
 FREEMAIL_TO(0.00)[qeng-ho.org,gmail.com];
 RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:4739, ipnet:150.101.0.0/16, country:AU];
 SUBJECT_ENDS_QUESTION(1.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2020 03:48:49 -0000

On 6/8/20 1:39 am, Arthur Chance wrote:
> On 05/08/2020 15:17, Ernie Luzar wrote:
>> Arthur Chance wrote:
>>> On 05/08/2020 02:02, Ernie Luzar wrote:
>>>> I have non-vnet jails working that can reach the public internet.
>>>> But now I would like to make some local only non-vnet jails that can
>>>> only access other local only non-vnet jails. BY local meaning have no
>>>> access to the public internet.
>>>>
>>>> How do I make this happen?
>>>>
>>>> Thanks for any pointers.
>>>
>>> Create a second loopback interface (cloned_interfaces="lo1" in
>>> /etc/rc.conf or ifconfig lo1 create for manual control) and put the
>>> local jails on lo1 without access to any other interface.
>>>
>>
>> I tested this already and it doesn't work.
>>
>> non-vnet jail with lo99 for the nic and ip address of 10.0.28.5 can
>> still reach the public internet.

Do you have bridging or routing enabled?

Routing can receive foreign packets on an interface and route them to a
different interface.

Bridging connects interfaces, sending the same packets on each.


While I don't have jails setup, I use sysutils/vm-bhyve for bhyve
instances. I have two "vm switches" which are bridge interfaces
connecting bhyve instances with physical interfaces, one bridges with
wlan0 and allows a vm to get internet access, the second bridges with
re0, which has no physical connection and provides no internet access to
bhyve instances, but I can ssh into it from the host.

I have -
net.link.bridge.ipfw: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 1
net.inet.ip.sourceroute: 0

-- 
FreeBSD - the place to B...Sharing Desktops

Shane Ambler