Date: Mon, 8 Aug 2016 10:19:10 +0200 From: Niklaas Baudet von Gersdorff <stdin@niklaas.eu> To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Firewalling jails and lo0 Message-ID: <20160808081910.GA27370@box-hlm-03.niklaas.eu> In-Reply-To: <57A76DF6.6090905@gmail.com> References: <20160806155411.GA5289@len-t420.klaas> <3C1C4822-17C2-42D9-A9BE-C3549B9B6F25@lists.zabbadoz.net> <20160807082651.GA87754@box-hlm-03.niklaas.eu> <57A743A8.10005@gmail.com> <20160807152347.GA9178@len-t420.klaas> <57A76DF6.6090905@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ernie Luzar [2016-08-07 13:20 -0400] : > > Aha. So once I assigned those traffic from/to jails should go > > through lo1 solely? > > YES. Thank you for clarifying that and your help. So, I attached additional IP addresses on the jail host side accordingly: lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> [...] inet 127.77.0.1 netmask 0xff000000 inet6 ::77:0:0:0:1 prefixlen 128 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> However, I still see packets being transmitted over lo0. What I tried then was attaching loopback addresses to the jails, like 127.77.2.1/8 and ::77:0:0:2:1/128. I did that for two jails (each on a different subnet) and checked with telnet whether they would start communicating over lo1. They didn't though. > I am still missing info on your jail.conf. Post the jail.conf file for the > jails in question. The following is an extract of /etc/jail.conf. 1 $box = "box-hlm-03"; 2 $box_jail_net = "3"; 3 4 $private_ip4 = "10.$box_jail_net.$network.$id"; 5 $private_ip4_prefixlen = "16"; 6 $private_ip6 = "fd16:dcc0:f4cc:$box_jail_net::$network:$id"; 7 $private_ip6_prefixlen = "64"; 8 $local_ip4 = "10.77.$network.$id"; 9 $local_ip6 = "fd16:dcc0:f4cc:77::$network:$id"; 10 $loopback_ip4 = "127.77.$network.$id"; 11 $loopback_ip6 = "0:0:0:77::$network:$id"; 12 $loopback_ip4_prefixlen = "8"; 13 $loopback_ip6_prefixlen = "128"; 14 15 host.hostname = "$name.$box.klaas"; 16 path = "/usr/local/jails/$name"; 17 ip4.addr = "lo1|$private_ip4/$private_ip4_prefixlen"; 18 ip6.addr = "lo1|$private_ip6/$private_ip6_prefixlen"; 19 ip4.addr += "lo1|$local_ip4/$private_ip4_prefixlen"; 20 ip6.addr += "lo1|$local_ip6/$private_ip6_prefixlen"; 21 ip4.addr += "lo1|$loopback_ip4/$loopback_ip4_prefixlen"; 22 ip6.addr += "lo1|$loopback_ip6/$loopback_ip6_prefixlen"; 23 mount = "/usr/local/jails/templates/base-10.3-RELEASE /usr/local/jails/$name nullfs ro 0 0"; 24 mount += "/usr/local/jails/thinjails/$name /usr/local/jails/$name/jail nullfs rw 0 0"; 25 mount.devfs; 26 27 exec.start = "/bin/sh /etc/rc"; 28 exec.stop = "/bin/sh /etc/rc.shutdown"; 29 exec.clean; 30 31 exec.prestart = "pfctl -t $class -T add $private_ip4 $private_ip6 $local_ip6 $local_ip4"; 32 exec.prestop = "pfctl -t $class -T delete $private_ip4 $private_ip6 $local_ip6 $local_ip4"; 33 34 exec.consolelog = "/usr/local/jails/$name.log"; 35 36 proxy1 { 37 host.hostname = "$name.$box.niklaas.eu"; 38 $network = 2; 39 $id = 1; 40 $class = "proxy"; 41 exec.poststart += "echo 'rdr pass inet6 proto tcp to ( vtnet0 ) port { http https imaps submission smtp } -> $private_ip6' | pfctl -a 'jails/$name-ipv6' -f -"; 42 exec.poststart += "echo 'rdr pass inet proto tcp to ( vtnet0 ) port { http https imaps submission smtp } -> $private_ip4' | pfctl -a 'jails/$name-ipv4' -f -"; 43 exec.poststop += "pfctl -a jails/$name-ipv6 -F all"; 44 exec.poststop += "pfctl -a jails/$name-ipv4 -F all"; 45 } 46 47 smtp1 { 48 host.hostname = "mx.$box.niklaas.eu"; 49 $network = 8; 50 $id = 1; 51 $class = "mail"; 52 } > Also what services are running on the host that you want to > communicate with the smtp jail. You have to change the smtp > config file to tell it to use the new lo1:127.0.10.2 ip address > and you have to do the same thing for what ever host service > will communicate with the smtp jail. They all have to be using > the same lo1:127.0.10.2 ip. Most admin just keep those types of > services on the host because its just easier. I am not sure whether I really want to do what you think I want to. :-) I would like to restrict the jails to solely use the interface they have an IP address attached to -- regardless of the running services in them. The only reason why I intend such a restriction is to limit the damage a potentially malicious jail can cause to other jails. If I configured the services to listen on the address you described above -- while I might make them use lo1 exclusively -- this would not prevent any malicious program from using lo0. My issue can be reduced to the question: When using jails, to secure network traffic as best as I can, do I have to enable the firewall on lo0 or is enabling it on the interface they are attached to (in my case lo1) enough? And: What do I need to do to restrict jails from using lo0? Sorry, if I misunderstood you. Niklaas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160808081910.GA27370>