From owner-freebsd-questions@freebsd.org  Sat Aug  6 15:54:39 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C43EEBB065C;
 Sat,  6 Aug 2016 15:54:39 +0000 (UTC)
 (envelope-from stdin@niklaas.eu)
Received: from mx.box-hlm-01.niklaas.eu (mx.box-hlm-01.niklaas.eu
 [84.22.107.79]) by mx1.freebsd.org (Postfix) with ESMTP id 9529F181C;
 Sat,  6 Aug 2016 15:54:39 +0000 (UTC)
 (envelope-from stdin@niklaas.eu)
Received: from len-t420.klaas (unknown
 [IPv6:2a02:908:d722:7b00:224:d7ff:feec:38e0])
 by mx.box-hlm-01.niklaas.eu (Postfix) with ESMTPSA id 7C30D2C3592;
 Sat,  6 Aug 2016 17:54:17 +0200 (CEST)
Date: Sat, 6 Aug 2016 17:54:11 +0200
From: Niklaas Baudet von Gersdorff <stdin@niklaas.eu>
To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org
Subject: Firewalling jails and lo0
Message-ID: <20160806155411.GA5289@len-t420.klaas>
Reply-To: stdin@niklaas.eu
Mail-Followup-To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.6.0 (2016-04-01)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Aug 2016 15:54:39 -0000

Hi,

In the manual I read the advice to disable the firewall on the
loopback interface (`set skip on lo0`) It makes sense to me: Why
would I want to firewall traffic on the loopback interface?

I have jails with IPs assigned on lo1. Intentionally I do /not/
`set skip on lo1` because I also want to restrict traffic (in and
out) from and to the jails. (In case one of them becomes
infiltrated.)

However, today I realised that some connections originating from
these jails use the loopback interface lo0. That said, they
"circumvent" the firewall I set on lo1. `tcpdump` shows
connections on lo0 from and to jails' IPs (especially IPv6s)
although these IPs are solely assigned to lo1.

I was quite surprised by that behaviour. So, if I want to isolate
the jails and restrict traffic from an to them, will I need to
remove skipping on lo0 and block there too?

Any advice and explanation is very much appreciated.

    Niklaas