Date: Fri, 20 Nov 2009 18:18:02 -0700 (MST) From: "Peter" <fbsdq@peterk.org> To: freebsd-net@freebsd.org Subject: ipfw not blocking inter jail ip traffic Message-ID: <02821228f8c0ffffa3084eed1ad5a624.squirrel@webmail.pknet.net>
next in thread | raw e-mail | index | archive | help
iH,
Have 2 jails and I don't want them to be able to reach other.
gulag:#ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:03:18:ea
inet 172.20.6.50 netmask 0xffffff00 broadcast 172.20.6.255
inet 172.20.6.209 netmask 0xffffff00 broadcast 172.20.6.255
inet 172.20.6.211 netmask 0xffffff00 broadcast 172.20.6.255
gulag:#ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
10000 deny ip from 172.20.6.209 to 172.20.6.211
10001 deny ip from 172.20.6.211 to 172.20.6.209
40000 deny ip from 172.20.6.209 to any
65000 allow ip from any to any
65535 deny ip from any to any
The two jails [.209 and .211] can still ping each other.
Even with rule 40000, the .209 jail can ping/ssh to the .211 jail, but of
course cannot ping the gateway...
If I remove rule '100' from the list, jails are no longer able to ping
each other - Although the IPs are on em0, why is the rule with lo0 letting
them pass? Does lo0 mean ALL ips assigned to server? or does it mean
loopback interface:
gulag:#ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
]Peter[
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02821228f8c0ffffa3084eed1ad5a624.squirrel>