From owner-freebsd-questions@freebsd.org Wed Aug 17 07:22:49 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7D825BBB632; Wed, 17 Aug 2016 07:22:49 +0000 (UTC) (envelope-from lars@e-new.0x20.net) Received: from mail.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "0x20.net", Issuer "StartCom Class 1 DV Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 338BC13A9; Wed, 17 Aug 2016 07:22:49 +0000 (UTC) (envelope-from lars@e-new.0x20.net) Received: from e-new.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.0x20.net (Postfix) with ESMTPS id 2276C6E0081; Wed, 17 Aug 2016 09:22:46 +0200 (CEST) Received: from e-new.0x20.net (localhost [127.0.0.1]) by e-new.0x20.net (8.14.7/8.14.7) with ESMTP id u7H7Mjd4014879; Wed, 17 Aug 2016 09:22:45 +0200 (CEST) (envelope-from lars@e-new.0x20.net) Received: (from lars@localhost) by e-new.0x20.net (8.14.7/8.14.7/Submit) id u7H7Mi0j013011; Wed, 17 Aug 2016 09:22:44 +0200 (CEST) (envelope-from lars) Date: Wed, 17 Aug 2016 09:22:44 +0200 From: Lars Engels To: Ernie Luzar Cc: "Bjoern A. Zeeb" , CyberLeo Kitsana , "freebsd-jail@freebsd.org" , Freebsd Questions , James Gritton , krad Subject: Re: testing 11.0-RC1 vnet jails with ipfilter Message-ID: <20160817072244.GO18643@e-new.0x20.net> References: <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> <57B375C6.9030500@gmail.com> <89E52542-8E6B-4BA6-921E-E939A3F3A038@lists.zabbadoz.net> <57B3B858.4000707@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="f0PSjARDFl/vfYT5" Content-Disposition: inline In-Reply-To: <57B3B858.4000707@gmail.com> X-Editor: VIM - Vi IMproved 7.4 X-Operation-System: FreeBSD 8.4-RELEASE-p23 User-Agent: Mutt/1.5.23 (2014-03-12) X-Mailman-Approved-At: Wed, 17 Aug 2016 11:05:02 +0000 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2016 07:22:49 -0000 --f0PSjARDFl/vfYT5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 16, 2016 at 09:05:28PM -0400, Ernie Luzar wrote: > Bjoern A. Zeeb wrote: > > On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote: > >=20 > >> On 08/16/2016 03:21 PM, Ernie Luzar wrote: > >> > >>> Issuing "ipf -FS -Fa" command from within the vnet jail gives this > >>> message, "open device:no such file or directory. User kernel version > >>> check failed. > >> > >> According to ipf(8), the ipfilter utilities touch /dev/ipauth , /dev/i= pl > >> , and /dev/ipstate . Have you checked that the devfs ruleset applied to > >> your jail has those unhidden? > >> > >>> Issuing "ipfstat -hnio command from within the vnet jail gives this > >>> message, open(IPSTATE_NAME):no such file or directory. > >> > >> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be= a > >> bad idea. > >=20 > > /dev/kmem is a bad idea; I should go and check what it is using it for= =20 > > and if needed we should fix that. > >=20 > >=20 > > I guess the general thing is that we might want to create another=20 > > default set of devfs rules which include additional nodes we now=20 > > consider safe inside VNET jails; the jail.conf still needs to know the= =20 > > right ruleset to apply, so the jail.conf would need to specify the othe= r=20 > > devfs_ruleset=3D=E2=80=9C..=E2=80=9D for vnet jails. Maybe Jamie could= then come up with=20 > > an intelligent solution that would automatically flip things if option= =20 > > vnet is set? I guess jail.conf(5) will need more examples for these= =20 > > things as well. > >=20 > >=20 > > /bz > >=20 >=20 > If thats the road you are thinking of going down, then we have to look=20 > at the big picture. Is another rule set say number 5 that includes rule= =20 > set number 4 plus the nodes for ipfilter, pf, and ipfw. Or maybe a=20 > separate rule set for each firewall which is more secure. >=20 > There is no way jail(8) could know which firewall if any was going to be= =20 > run in the vnet jail to select the correct rule if there were separate=20 > rules for each firewall. A combined rule set containing everything=20 > needed for all 3 firewalls would be something jail(8) could auto default= =20 > to if vnet option was coded. >=20 > In light of 11.0 release being published soon there should be something= =20 > posted to the release notes talking about this with sample code for a=20 > combined rule #5. This would give vnet users a copy & paste solution to= =20 > use until jail(8) gets updated in 11.1. >=20 > I tried this rule set in /etc/devfs.rules >=20 > [devfsrules_jail=3D5] > add include $devfsrules_jail > add path /dev/ipl unhide > add path /dev/ipauth unhide > add path /dev/ipstate unhide I think you have to remove '/dev/' >=20 > Boot time get error message that this was invalid. >=20 > If I could get a correct syntax combined rule #5 file, I could continue= =20 > testing all 3 firewalls using 11.0-RC1. >=20 > Your help would be greatly appreciated. >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" --f0PSjARDFl/vfYT5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQF8BAEBCgBmBQJXtBDEXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4RjQwMDE3RTRERjUzMTI1N0FGRTUxNDlF NTRDQjM3RDNBMDg5RDZEAAoJEOVMs306CJ1t17IH/RN4z88uvgE1bZr4DsDYS1We LMfGoKzqJKW5tcWdpwBENXo3N03ZF1HrwZntdeklDG2GZz27uVhgsW9W2Gk5qYwl PL9BCfzSrJPOeU4M0soojIioGFqrTMBdZgjOdz/pjMMaXKz+PlpBFNoPCZeRVY+o haq790satiGhymUGkMFzv48ckle7xRUbVwvfE8fxSoFJE8LD/FnBXLddUq1EfPXy gd16CvI3SSnrZsXKWZhRy9k5CgJ+wikqBXz57pFpImQZTU23Hxu54cVZ+k+8wv/y k+ikar/FoCRdjd04nHFOedWIq2nuovsCP2E5noDfxnrn+c9x+Vu1uIasoLpnfqg= =OR/x -----END PGP SIGNATURE----- --f0PSjARDFl/vfYT5--