Date: Sat, 06 Aug 2016 12:15:27 -0400 From: Ernie Luzar <luzar722@gmail.com> To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Cc: stdin@niklaas.eu Subject: Re: Firewalling jails and lo0 Message-ID: <57A60D1F.80500@gmail.com> In-Reply-To: <20160806155411.GA5289@len-t420.klaas> References: <20160806155411.GA5289@len-t420.klaas>
next in thread | previous in thread | raw e-mail | index | archive | help
Niklaas Baudet von Gersdorff wrote: > Hi, > > In the manual I read the advice to disable the firewall on the > loopback interface (`set skip on lo0`) It makes sense to me: Why > would I want to firewall traffic on the loopback interface? > > I have jails with IPs assigned on lo1. Intentionally I do /not/ > `set skip on lo1` because I also want to restrict traffic (in and > out) from and to the jails. (In case one of them becomes > infiltrated.) > > However, today I realized that some connections originating from > these jails use the loopback interface lo0. That said, they > "circumvent" the firewall I set on lo1. `tcpdump` shows > connections on lo0 from and to jails' IPs (especially IPv6s) > although these IPs are solely assigned to lo1. > > I was quite surprised by that behavior. So, if I want to isolate > the jails and restrict traffic from an to them, will I need to > remove skipping on lo0 and block there too? > > Any advice and explanation is very much appreciated. > > Niklaas This bug report will answer your questions for non-vimage jails. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57A60D1F.80500>