Date: Sat, 06 Aug 2016 12:55:00 -0400 From: Ernie Luzar <luzar722@gmail.com> To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org, stdin@niklaas.eu Subject: Re: Firewalling jails and lo0 Message-ID: <57A61664.9010100@gmail.com> In-Reply-To: <20160806162343.GE5566@len-t420.klaas> References: <20160806155411.GA5289@len-t420.klaas> <57A60D1F.80500@gmail.com> <20160806162343.GE5566@len-t420.klaas>
next in thread | previous in thread | raw e-mail | index | archive | help
Niklaas Baudet von Gersdorff wrote: > Ernie Luzar [2016-08-06 12:15 -0400] : > >> This bug report will answer your questions for non-vimage jails. >> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049 > > Thanks a lot. So I stumbled upon a security issue? And the only > way to work around this is by using vimage jails? While vimage > refers to some virtualisation of the network /within/ the jails? > > Niklaas That is not the un-documented work around solution contained in the PR. Vimage jails are not mentioned at all. The loopback problem is isolated to non-vimage jails only. If your non-vimage jail does not contain a application that uses local host lo0/127.0.0.x then you don't need to do anything. If there is an application in your jail that uses lo0/127.0.0.x, then for that jails jail.conf definition you have to manually activate loopback by adding lo0:127.0.0.x to the jails ip4_addr parameter value alone with the jails primary IP address. Then manually change the conf file of all the applications running in that jail to use that lo0 127.0.0.x IP address. Or an alternate is to add a statement to the hosts rc.conf to clone the lo0 interface and them code as above. This means each jail has a unique loopback ip address.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57A61664.9010100>