From owner-freebsd-net@freebsd.org Fri May 6 04:16:19 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3F7BCB2F6F6 for ; Fri, 6 May 2016 04:16:19 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 16A901058; Fri, 6 May 2016 04:16:19 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-oi0-x22c.google.com with SMTP id x201so126524366oif.3; Thu, 05 May 2016 21:16:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=FpxdqDO6nfiQLywttwJGgG3RHnEpMt/ZngppOJGx5hY=; b=ROc7gHsjpSAJMY4CL47yo0685J0ffB7qpxg0xRQYuBAgjC4+DwJLQflwxTHRHygi+H f4QLTqfvTTMnLNz4ULwbgANr3eGwc0tvi0z/pmcP+AwO2RNc21hlyahGSHjqR5xjJVdS X/JbpX++yvUxNzV5pSKBfbH/7HsJ4YU1mTAWfPqmU1w/qeyEnv79cltdaO+Cj+nDkgSb RcK3Xj3kukDC0SyoA5ejCfnV4IVJ/1FXGG8gaQCZfdOg+vW5WkNt7gT/e6vaaE/dLQf+ YStwlUM7Av+sobiDaX+ehzDCafHD2LexcW0sNLDYikhoP/ZmziJlMy3KN/FtdnGFnMjS uPLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=FpxdqDO6nfiQLywttwJGgG3RHnEpMt/ZngppOJGx5hY=; b=AYf6V0eFjwTl15uO6P+IZCUCc5I9x2fsOYGBGYcTzSrH1n8fTREwxlaKs3lCzLLIFx K430KgNnYzNnw53+sPrBPkIuweHWIjdBuA8AfRyrDIxY7IODh/RWqpQ+/s/FV3OJoLWp 5n3EBkxvLcITBw4q0WsQ9f5ppXFpIdXi+VlZ7d4xDwFS/rT4kynTM9/56QIpomfb7LTE 7C+rq5gWSgtk+epdebld5suOsL/GkAdK7KNA2q6ts033iHIOds9ppxw6zitdhHVbMIhf ahRc2PIb3Ph3fc9G0QRPyIb1koykYBbeawvOBDKIXqYBw68Az1Zg7o5CPV+eu35TJtUR E8hA== X-Gm-Message-State: AOPr4FUrpNRDsOvVdRqiWaYZYBrjd4ewtGTfiRDFHKETpaQA+QTao29SHxhQ0/i8YFvCh6IA29h3fJwzZbqoow== MIME-Version: 1.0 X-Received: by 10.202.73.72 with SMTP id w69mr3251136oia.176.1462508178344; Thu, 05 May 2016 21:16:18 -0700 (PDT) Sender: asomers@gmail.com Received: by 10.202.64.138 with HTTP; Thu, 5 May 2016 21:16:18 -0700 (PDT) In-Reply-To: <3ed0ddc2-3439-19fb-3075-8b5079cc5731@freebsd.org> References: <67045371-07B8-4718-8A8B-98E3FBFF994E@sigsegv.be> <20160504155915.GD4796@beastie.io> <3ed0ddc2-3439-19fb-3075-8b5079cc5731@freebsd.org> Date: Thu, 5 May 2016 22:16:18 -0600 X-Google-Sender-Auth: C-AauRGkq4k3d3UQp_h5cM7ZZpI Message-ID: Subject: Re: How to use pf with vimage jails? From: Alan Somers To: Julian Elischer Cc: Shawn Debnath , Kristof Provost , FreeBSD Net Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2016 04:16:19 -0000 On Wed, May 4, 2016 at 11:49 PM, Julian Elischer wrote: > On 4/05/2016 11:59 PM, Shawn Debnath wrote: > >> On 05/04, Alan Somers wrote: >> >>> Then maybe it's the bridged aspect that's screwing me up. Is there a >>> guide >>> for using pf on bridged interfaces? All I can find is this guide for >>> ipfw. >>> >> I ran into a similar issue recently and decided to write up an article on >> my site that documents how to set up jails with VNET/VIMAGE using a bridge >> on the host. This might help you: >> >> >> http://shawndebnath.com/articles/2016/03/27/freebsd-jails-with-vlan-howto.html >> >> If you see any errors, do let me know and I will get those fixed up. >> > > devin just committed some sample code to share/examples > > https://svnweb.freebsd.org/base/head/share/examples/jails/ > > there is also some code in > https://svnweb.freebsd.org/base/head/share/examples/netgraph/ > > that may be relevant, but uses netgraph bridging. > > > >> Thanks, >> Shawn >> >> I finally found a configuration that works, but there were two surprises. First, I had to set net.link.bridge.pfil_member=1. Second, I essentially had to double all rules; they must be written once for the physical interface and once for the virtual interface. Here is an example pf.conf file: communication to the jail host uses em0 only. em1 is reserved as the bridge for various jails' vnet interfaces. The www jail uses vnet0. The rules allow inbound traffic only on ports 80 and 443, but any outbound traffic. www_services = "{ http, https }" host_iface = "em0" dmz_iface = "em1" www_jail_iface = "vnet0:1" www_ip = "192.168.0.40" set state-policy if-bound scrub in block in all block out all pass in on $host_iface pass out on $host_iface set skip on lo0 pass in on $dmz_iface pass out on $www_jail_iface proto tcp to $www_ip port $www_services pass in on $www_jail_iface keep state pass out on $dmz_iface Thanks for all the suggestions. -Alan