From owner-freebsd-questions@freebsd.org Fri Jul 17 20:31:55 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7670636E2E8; Fri, 17 Jul 2020 20:31:55 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-qk1-x741.google.com (mail-qk1-x741.google.com [IPv6:2607:f8b0:4864:20::741]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B7jTQ4r92z4VdQ; Fri, 17 Jul 2020 20:31:54 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-qk1-x741.google.com with SMTP id z15so3201871qki.10; Fri, 17 Jul 2020 13:31:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=SgvsygJsi5OaXTUgFAk+j13YmwPzP7z1fQVefExCQZo=; b=FD2qIn1HACOSzL72xKi4Cmf4AjledlPB1KhfjF5JSuLO+2v59KmTRrmsHfcOy93pBU Hp3khGfZpwg1CLnYKbq0sAPwwjLvJXJ7FLjXxfs094Pd5ZSIAygnYkbxTPGSLLj/0fy1 Q/BpP1zKnYut5hYxwK72mkJ6s/F6zpBPYm8yr6eTo1A5gBZdVFTEuhBqQ9FlkJ6lxjfq UXJXqaBC9E9Ydz1MRkNHm7gSUyEBaDxbeX1bj+XJCj/aBn8E+8Hhs/VOcImpBuhHdjTE PBQg8O+NCMFpNq0cSBpNYKw9mNyNGzJ+6vZ5ivCusyiXmrXUq2A7fqZDvxbhoTNRU65r IwPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=SgvsygJsi5OaXTUgFAk+j13YmwPzP7z1fQVefExCQZo=; b=jDDJULZNp3o700ks6Jt+ZkinP9u10ApqdUcvc056i5kqQ11zhagA7ZbUigE7GDDvAi NfZTuyg+IVlOL2CpgO9zk0ldH7tXGrVtRhBtsbLUTTp+uDffIwXiry4Opnwb0ZWjiBpE OfyH+x1I3YcyOtuPHA1hgzDqx3DmjBFy2qiA8o92qoioYl5bvme/dF6exXikf/tDHP4N 9iqDsFCMYjFDz9e5f4gPRJcD/BB42F2Phuzdm56n1P9ymU8u6jhbQFv9RsYH48lVfYLp v5gXQUA0ibGs4F3t1C3HliBoo0A7yprG3dytX0WrA488KmbprJNE6IZWyMU6CP30S32k AWSQ== X-Gm-Message-State: AOAM531dEY71HQqLnUYSUgs7uVm2Yje5PPJFj5m8M+vivMwkOyRuCj3t DGaXfBWMMasp3tFo+/mkDvM= X-Google-Smtp-Source: ABdhPJzxbb1uq1HLZAfEa/5YzjL1Y3ew3nttuz7roU+4xG6B9Sc4KHYhM17uG2v15O+Ca2ZBXEil1A== X-Received: by 2002:a37:3cd:: with SMTP id 196mr10799742qkd.458.1595017913735; Fri, 17 Jul 2020 13:31:53 -0700 (PDT) Received: from [10.0.10.8] (cpe-65-25-51-0.neo.res.rr.com. [65.25.51.0]) by smtp.googlemail.com with ESMTPSA id t9sm11314995qke.68.2020.07.17.13.31.52 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 17 Jul 2020 13:31:53 -0700 (PDT) Message-ID: <5F120AB9.8060209@gmail.com> Date: Fri, 17 Jul 2020 16:31:53 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Alexander Leidinger CC: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org, David Mehler Subject: Re: vnet jail for local only or public access References: <5EFCD605.4000409@gmail.com> <5EFD095F.4040507@gmail.com> <5F0119F3.40806@gmail.com> <5F049E65.8000701@gmail.com> <5F0DEE4A.6080600@gmail.com> <5F0F00EB.5010403@gmail.com> <5F0F0FBC.9020200@gmail.com> <5F0F152C.3040908@gmail.com> <5F119D8F.7030407@gmail.com> <20200717152243.Horde.9H9QDqj9GtGFk_mayhRBsvs@webmail.leidinger.net> In-Reply-To: <20200717152243.Horde.9H9QDqj9GtGFk_mayhRBsvs@webmail.leidinger.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4B7jTQ4r92z4VdQ X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=FD2qIn1H; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of luzar722@gmail.com designates 2607:f8b0:4864:20::741 as permitted sender) smtp.mailfrom=luzar722@gmail.com X-Spamd-Result: default: False [-2.41 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.89)[-0.888]; RECEIVED_SPAMHAUS_PBL(0.00)[65.25.51.0:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.04)[-1.044]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-0.98)[-0.978]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::741:from]; FREEMAIL_CC(0.00)[freebsd.org,gmail.com]; RCVD_TLS_ALL(0.00)[]; SUSPICIOUS_RECIPS(1.50)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2020 20:31:55 -0000 Alexander Leidinger wrote: > Quoting Ernie Luzar (from Fri, 17 Jul 2020 08:46:07 > -0400): > >> Trying to figure out how to configure a vnet jail so it is restricted >> to only being able to talk to other vnet jails on the same host IE: >> local only vnet jails. As different to being able to access the public >> internet type of vnet jails. >> >> Using the bridge/epair method of connecting vnet jails to the host. >> [ based on this how-to ] >> https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071/ >> >> >> It's my understanding that this behavior is controlled by if the hosts >> interface connected to the public internet is added as a member to the >> bridge the vnet jails epairXa interfaces were members of. > > Partly correct. You can also have a setup where your host is routing > between what you call the public internet and the local only vnets. > >> I tested this on a remote vm and found that it made no difference one >> way or the other if the hosts interface connected to the public >> internet was added as a member to the bridge or not. In both cases the >> vnet jail had public internet access. > > It shouldn't, if there is no routing involved. > > Please show us "ifconfig -a" and "netstat -rn" of the host. > > Bye, > Alexander. > root >netstat -rn4 Routing tables Internet: Destination Gateway Flags Netif Expire default 65.25.48.1 UGS re0 10.0.0.0/8 link#1 U em0 10.0.10.2 link#1 UHS lo0 10.0.20.0/24 link#5 U bridge10 10.0.20.2 link#5 UHS lo0 xxx.25.48.0/20 link#2 U re0 xxx.25.51.0 link#2 UHS lo0 127.0.0.1 link#3 UH lo0 /root > /root >ifconfig -a em0: flags=8843 metric 0 mtu 1500 options=81249b ether d0:50:99:93:75:98 inet 10.0.10.2 netmask 0xff000000 broadcast 10.255.255.255 media: Ethernet autoselect (1000baseT ) status: active nd6 options=29 re0: flags=8843 metric 0 mtu 1500 options=8209b ether 50:3e:aa:06:11:22 inet xxx.25.51.0 netmask 0xfffff000 broadcast 255.255.255.255 media: Ethernet autoselect (1000baseT ) status: active nd6 options=29 lo0: flags=8049 metric 0 mtu 16384 options=680003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=21 bridge10: flags=8843 metric 0 mtu 1500 description: qjail-vnet-jail-only-bridge ether 02:3e:ba:a7:58:0a inet 10.0.20.2 netmask 0xffffff00 broadcast 255.255.255.0 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair4a flags=143 ifmaxaddr 0 port 6 priority 128 path cost 2000 groups: bridge nd6 options=1 epair4a: flags=8943 metric 0 mtu 1500 description: qjail-vnet-jail-dir10 options=8 ether 02:f6:61:9a:b4:0a inet6 fe80::f6:61ff:fe9a:b40a%epair4a prefixlen 64 scopeid 0x6 groups: epair media: Ethernet 10Gbase-T (10Gbase-T ) status: active nd6 options=21 Vnet jail can ping the public internet.