Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 21 Nov 2009 09:08:05 -0500
From:      Steve Bertrand <steve@ibctech.ca>
To:        Peter <fbsdq@peterk.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ipfw not blocking inter jail ip traffic
Message-ID:  <4B07F445.3030206@ibctech.ca>
In-Reply-To: <02821228f8c0ffffa3084eed1ad5a624.squirrel@webmail.pknet.net>
References:  <02821228f8c0ffffa3084eed1ad5a624.squirrel@webmail.pknet.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Peter wrote:
> iH,
> 
>     Have 2 jails and I don't want them to be able to reach other.
> 
> gulag:#ifconfig em0
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>         options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
>         ether 08:00:27:03:18:ea
>         inet 172.20.6.50 netmask 0xffffff00 broadcast 172.20.6.255
>         inet 172.20.6.209 netmask 0xffffff00 broadcast 172.20.6.255
>         inet 172.20.6.211 netmask 0xffffff00 broadcast 172.20.6.255
> 
> gulag:#ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 10000 deny ip from 172.20.6.209 to 172.20.6.211
> 10001 deny ip from 172.20.6.211 to 172.20.6.209
> 40000 deny ip from 172.20.6.209 to any
> 65000 allow ip from any to any
> 65535 deny ip from any to any
> 
> 
> The two jails [.209 and .211] can still ping each other.
> Even with rule 40000, the .209 jail can ping/ssh to the .211 jail, but of
> course cannot ping the gateway...
> If I remove rule '100' from the list, jails are no longer able to ping
> each other - Although the IPs are on em0, why is the rule with lo0 letting
> them pass?  

Because, AFAIK, traffic that stays within the box never crosses the
external (ie: non-loopback) interface planes.

> Does lo0 mean ALL ips assigned to server? or does it mean
> loopback interface:

It means loopback interface. Essentially, all traffic that originates
and is destined to itself stays within the loopback.

Try this:

ipfw add 40000 deny all from 172.20.6.211 to 172.20.6.209 via lo0

The following would allow you block access from .211 to ANY other IP
(jail) on the box (I *think* it would still permit network destined
traffic):

ipfw add xxxx deny all from 172.20.6.211 to me

HTH,

Steve

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B07F445.3030206>