Date: Wed, 17 Aug 2016 16:46:37 -0400 From: Ernie Luzar <luzar722@gmail.com> To: Freebsd Questions <FreeBSD-questions@freebsd.org> Subject: testing 11.0-RC1 vnet jails with pf firewall Message-ID: <57B4CD2D.5080108@gmail.com>
next in thread | raw e-mail | index | archive | help
Hello list; Running 11.0-RC1 with only option vimage compiled into the generic kernel. PF runs fine on the host. Have pf rules to pass and log everything and I see what I exspect to see in the hosts pf log. Issuing ifconfig on the host shows pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33184 groups: pflog I added this to the vnet jails rc.conf pf_enable="YES" pflog_enable="YES" The jail.conf for the vnet jail has devfsrule # 6 which contains this [devfsrules_vjail_pf=6] add include $devfsrules_jail add path pf unhide add path pfsync unhide add path pflog unhide When I start the vnet jail it comes up just fine. Issuing ifconfig from within the vnet jail shows pflog0: flags=0<> metric 0 mtu 33184 groups: pflog You can see pflog0 has been created but not running. There is no /var/log/pflog file in the vnet jail. Issuing the "pfctl -sr -vv" command from within the vnet jail shows No ALTQ support in kernel ALTQ related functions disabled @0 pass log (all) quick on epair2b all flags S/SA keep state [ Evaluations: 11 Packets: 55 Bytes: 8366 States: 0 ] [ Inserted: uid 0 pid 2561 State Creations: 11 ] I can ping the public from within the vnet jail. These limited signs seem to indicate the pf firewall is working in some limited way in the vnet jail. The real problem is with pf logging. There is none. The single pass rule that runs in the vnet jail should be generating log data from the ipv4 pings I do and whois packets. There is even nothing in the hosts pf log. The only things I see in the hosts pf log are ipv6 ping6 multacasts and ipv6 dns inquire requests going out the hosts external interface. The vimage literature talks about unique firewalls per vnet jail. To me that translates into the firewall generating logs in the vnet jail directory tree. I rebooted the host and used a kernel compiled with vimage and pf. Got same results. Suggesting about what I can try to get logging working in the vnet jail so it logs to the vnet jails directory tree sure would be apprehended. Thanks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57B4CD2D.5080108>