From owner-freebsd-current@freebsd.org Thu Oct 18 19:54:47 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58931F7300B for ; Thu, 18 Oct 2018 19:54:47 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A8D987B7B7 for ; Thu, 18 Oct 2018 19:54:46 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local ([199.201.64.140]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id w9IJioUH006103 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 18 Oct 2018 12:44:51 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: vnet & firewalls in 12.0 To: Ernie Luzar , FreeBSD current References: <5BC8D1FC.1010802@gmail.com> From: Julian Elischer Message-ID: <3a30931f-9301-1ec8-f902-5c69bf45061d@freebsd.org> Date: Thu, 18 Oct 2018 12:44:45 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <5BC8D1FC.1010802@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Oct 2018 19:54:47 -0000 I will only discuss ipfw.. I dont' use pf. On 18/10/18 11:33 am, Ernie Luzar wrote: > Wanting to get a head start on using 12.0 and vnet jails with in > jail firewall. > > 1. Will Vimage be compiled as a module in the 12.0 kernel and be > included in the base system release? it's in base.. not  a module > > 1.a. Has the boot time console log message about vimage being > "highly experimental" been removed? > > 2. Has the pf firewall been fixed so it can now run in a vnet jail > or multiple vnet jails with out concern for which firewall is > running on the host? > > 2.a. Is each vnet/pf log only viewable from it's vnet jail console? > > 2.b. Will pf/kernel module auto load on first call from a vnet jail? > > 2.c. Does vnet/pf NAT work? > > 3. Does the ipfw firewall still have the 11.x release mandatory > requirements that the host must also be running ipfw for the vnet > jailed ipfw to work? never heard about that.. effectively each network stack can have its own firewall. The ipfw module must be loaded so it will be 'hooked into' each stack. whether you use it or not is up to you. > > 3.a. Are all vnet/ipfw log messages still intermixed with the host's > ipfw log messages? that is probably the case.  there is no per-jail kernel logging facility. (Sounds like a good idea!  send patches!) > > 3.b. Does vnet/ipfw NAT work? last I checked it did. > > 4. Has any work been done to ipf (ipfilter) so it will function when > used in a vnet jail? I don't know how many people are using that... not a lot. > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe@freebsd.org" >