Date: Sat, 6 Aug 2016 17:54:11 +0200 From: Niklaas Baudet von Gersdorff <stdin@niklaas.eu> To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Firewalling jails and lo0 Message-ID: <20160806155411.GA5289@len-t420.klaas>
next in thread | raw e-mail | index | archive | help
Hi,
In the manual I read the advice to disable the firewall on the
loopback interface (`set skip on lo0`) It makes sense to me: Why
would I want to firewall traffic on the loopback interface?
I have jails with IPs assigned on lo1. Intentionally I do /not/
`set skip on lo1` because I also want to restrict traffic (in and
out) from and to the jails. (In case one of them becomes
infiltrated.)
However, today I realised that some connections originating from
these jails use the loopback interface lo0. That said, they
"circumvent" the firewall I set on lo1. `tcpdump` shows
connections on lo0 from and to jails' IPs (especially IPv6s)
although these IPs are solely assigned to lo1.
I was quite surprised by that behaviour. So, if I want to isolate
the jails and restrict traffic from an to them, will I need to
remove skipping on lo0 and block there too?
Any advice and explanation is very much appreciated.
Niklaas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160806155411.GA5289>