Date: Sun, 26 Jun 2016 18:15:39 +0300 From: Aleksandr A Babaylov <"."@babolo.ru> To: org.freebsd.security@io7m.com Cc: freebsd-net@freebsd.org Subject: Re: Filtering outbound traffic for private address jails? Message-ID: <20160626151539.GA27211@babolo.ru> In-Reply-To: <20160625220137.1ed8de16@copperhead.int.arc7.info> References: <20160625220137.1ed8de16@copperhead.int.arc7.info>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 25, 2016 at 10:01:37PM +0000, org.freebsd.security@io7m.com wrote: > Hello. > > I have been searching for the best part of a day for a solution to this > problem and quite frankly cannot believe that I've spent this long on > something that appears to be so simple and that used to be fairly easy > to achieve. Many years ago, I solved this problem on FreeBSD 6, but the > way I did it there seems to no longer work on modern releases. > > The problem is this: I have a single public IP address. I want to run > multiple jails. > > Back in the days of FreeBSD 6.*, the accepted way to do this seemed to > be to create a new loopback device: > > # ifconfig lo1 create > > ... and then add a lot of private 127.0.0.* addresses, one per jail. > > Then, the real network adapter and the new loopback device were both > added to a bridge (if_bridge). Unfortunately, I can't remember the exact > details, but I believe that NAT was then enabled on the real interface. > In order to filter traffic to, from, and between jails, pf rules were > written that filtered the bridge device. > > This meant that jails could correctly send outbound traffic and > receive responses (via pf states), could correctly receive specific > inbound traffic (via rdr rules), and traffic in both directions could be > filtered based on packets entering and leaving the bridge. > > However (see my other mailing list post), it seems that now with > FreeBSD 10, you just can't add loopback devices to bridges. I can find > no evidence of anyone online doing this, or even using the old bridge > method that I just described! I can find one post in russian that seems > to have the same error that I encounter, but nobody has any idea why > it's happening. > > I can find dozens of blog posts describing how to set up jails on > private IP addresses. They all follow the same pattern: > > 1. Create a loopback device. > 2. Create a 127.0.0.* address on the loopback device. > 3. Create a jail using the address you just added. > 4. Set up pf and enable NAT between the real network adapter and > the new loopback device. > > Unfortunately, at this point, you completely lose the ability to filter > outbound jail traffic; All packets sent from a jail will obviously have > their source address changed to that of the host and therefore it's not > possible to distinguish between outbound host traffic and outbound jail > traffic in filter rules. > > As far as I can tell, people are just not filtering outbound traffic, > which seems insane! > > Is it really impossible to do this with FreeBSD 10? I am not shure about 127.0.0.* adresses, there is some restritions in kernel. It is easy to do what you want when using another private adresses and ipfw. Just ifconfig private adresses on em0 and use rules simirar to: 10000 skip to 30000 ip from any to any out 12000 allow .... .... deny ... 20000 nat 1 ... 21000 allow .... .... deny ... 29000 deny ip fom any to any 31000 allow ip from your_private_IP to any src-port ... dst-port ... .... so on 40000 nat 1 ... 41000 allow .... .... deny ... And config ipfw nat 1 as suit to you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160626151539.GA27211>