From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 14:52:57 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AC09FCE5 for ; Sat, 12 Jul 2014 14:52:57 +0000 (UTC) Received: from relay.mailchannels.net (aso-006-i400.relay.mailchannels.net [143.95.81.29]) by mx1.freebsd.org (Postfix) with ESMTP id 2C139291D for ; Sat, 12 Jul 2014 14:52:56 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (unknown [10.237.11.126]) by relay.mailchannels.net (Postfix) with ESMTPA id 2C3C610088A; Sat, 12 Jul 2014 14:52:48 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (mail-24.name-services.com [10.253.92.5]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:2500 (trex/5.2.5); Sat, 12 Jul 2014 14:52:48 GMT X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from|107.201.34.133 X-MailChannels-Auth-Id: demandmedia Received: from [10.0.10.1] (107-201-34-133.lightspeed.bcvloh.sbcglobal.net [107.201.34.133]) by mail-24.name-services.com with SMTP; Sat, 12 Jul 2014 07:52:40 -0700 Message-ID: <53C14BB9.3030602@a1poweruser.com> Date: Sat, 12 Jul 2014 10:52:41 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Peter Toth Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? References: <53BFE796.7020502@a1poweruser.com> <53C08C74.6000805@a1poweruser.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Peter Ross , freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 14:52:57 -0000 Sham on you Peter Toth. Slander and calling names about someone who does not agree with you is childish and something I would expect from a 10 year old. This foolish post only shows how unprofessional your behavior is. Sham on you. Every thing stated by me is the truth and verified by the outstanding pr's. If you can't trust the PR system as credible, then what can you trust. I don't disagree that you may have a working vnet/vimage configuration running on your hobby host system or that your foolishly exposing your hobby host system to public network attack and host system takeover. There is a very big difference between software that does not crash when started and software that performs within its design parameters. I think just because your configuration does not crash means to you its working as expected. This is foolish in light of all the negative warnings about vimage. vimage is experimental and nothing you say can change that fact. Readers don't believe me or Peter Toth and review the listed pr numbers and do your own search of bugzilla on keyword vnet or vimage and make up your own mind. Peter Toth wrote: > Dear Joe Barbish (alias fbsd8@a1poweruser.com > ), > > When you going to stop trolling the FreeBSD mailing list and spread > disinformation? > > People come to this place to learn, share information, help out other > folks and most importantly to have a constructive debate! (obviously > some would rather divert this effort) > > The PR number's mentioned are mostly outdated from the 8.x and 9.x > series - some of them are completely irrelevant (like ACPI) or for a > i386 system. > Beyond this I am categorically refusing to waste any energy and time on > answering any trolling/diversion attempts by Joe Barbish. > > I am not going to burn time on dissecting each PR one-by-one but rather > share my experience with VNET. > > Over the last year and a half have deployed numerous production systems > based on amd64 10-RELEASE with VNET enabled and PF running on the host. > Encountered 0 instability issues! Details on how to do this are > here: http://iocage.readthedocs.org/en/latest/real-world.html > > As I mentioned before IPFW works in a jail and PF only works on the host. > > Back to the original issue though, Peter could you please share your > IPFW config with me (maybe just send it directly to me), would be very > interested to get it going in my lab setup and add a howto page to share > this with others. > > Cheers, > Peter > > > On Sat, Jul 12, 2014 at 1:16 PM, Fbsd8 > wrote: > > Peter Toth wrote: > > On Sat, Jul 12, 2014 at 1:33 AM, Fbsd8 >__> wrote: > > Peter Toth wrote: > > Have not used natd with IPFW much as always preferred PF > to do > everything > on the host. > > I have only a wild guess - the "me" keyword in IPFW is > substituted only to > the host's IPs known to itself. > The host's IPFW firewall most likely doesn't know > anything about IPs > assigned to vnet interfaces inside the jail. > > Vnet jails behave more like separate physical hosts. > > Internet ---> [host] ------- (10.0.10.0 LAN) ------> > [vnet jail] > > The PF issue inside a jail is a separate problem, PF is > not fully > VIMAGE/VNET aware as far as I know. > > Can someone comment on these or correct me? > > P > > > > On Fri, Jul 11, 2014 at 7:11 PM, Peter Ross > >> > > wrote: > > On Thu, 10 Jul 2014, Peter Toth wrote: > > Hi Peter, > > Try to make these changes: > > net.inet.ip.forwarding=1 # Enable IP > forwarding > between interfaces > net.link.bridge.pfil_onlyip=0 # Only pass IP > packets > when pfil is enabled > net.link.bridge.pfil_bridge=0 # Packet filter > on the > bridge interface > net.link.bridge.pfil_member=0 # Packet filter > on the > member interface > > You can find some info > here > > http://iocage.readthedocs.org/____en/latest/help-no-internet.____html > > > > > > > I've had these issues before with PF and IPFW, by > default these will be > filtering on your bridge and member interfaces. > > Thanks. It did not change anything. > > Now, inside_ the jail I run "ipfw allow ip from any > to any". > > This on the host system: > > 01000 check-state > 01100 allow tcp from any to any established > 01200 allow ip from any to any frag > 00100 divert 8668 ip4 from any to any via age0 > 03100 allow udp from any to 10.0.10.1 dst-port 53 > keep-state > 03200 allow udp from any to me dst-port 53 keep-state > > (with natd redirecting "redirect_port udp > 10.0.10.1:53 > external.ip:53") > > > If I add > > 03300 allow udp from me 53 to any > > it works.. > > So it makes me think check-state isn't usable - because > > 03200 allow udp from any to me dst-port 53 keep-state > > should cover the returning packets. > > I played with your parameters but it did not help. But > thanks for the idea. > > Here again the setup: > > Internet->age0(host interface with natd and external IP) > ->bridge10(10.0.10.254)->____epair1a > > ->epair1b(10.0.10.1 in bind vnet jail) > > I wonder what kind of restrictions exist with vnet.. > it does > not seem to > work _exactly_ as a "real" network stack (the issues > with pf > inside the > jail let me think of it too) > > Did I find a restriction, a bug - or just that I've > got it > wrong? > > Regards > Peter > > > Any firewall function that runs in the kernel will not function > inside of a vnet/vimage jail. > > > > This sounds a bit vague, can you please explain in more detail > what you meant by this? > > IPFW works inside a vnet jail - You can manage per jail firewall > instances without any issues. > > The only firewall which cannot function inside a jail (yet) is PF. > > P > > > > You are incorrect. > Here is a list of some of the vnet/vimage outstanding PR's > > 143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, > 165252, 176112, 176929, 178480, 178482, 179264, 182350, 185092, > 188010, 191468 > > > > > > >