From owner-freebsd-pf@freebsd.org Sat Aug 6 16:15:20 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26DABBB0B59; Sat, 6 Aug 2016 16:15:20 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E3D0312CC; Sat, 6 Aug 2016 16:15:19 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it0-x22b.google.com with SMTP id u186so44623054ita.0; Sat, 06 Aug 2016 09:15:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=qCDhhAGGUSjvEGITF78spxp0IWR6fQoLVuuSpjuaMQw=; b=aR17PTC0frMbXxeR91PvWIy3VIphdDbYlx1bcVYa2MIYGdtI5vzE1sPf0ttBs4rPyh 2yx0LB9DUpPHQk+XpT14UzjaWfIZoTA7l6lOO7wx7QmH67gpX/q5nKOPCim0C3PBAryt kLeqcPXyi1ZChdn086EZaLF+O2Z195sRWiK1DP6bjQzNkEqNzinQsHkKEO9KPIHvrUP4 Ayk15Zz/yzwo1OlIvssBYk+0tf2M4cMZsgG6aOnPSs4bW3m5B5naFLsv0PB/z0SDivNI EPmPb9W3VgxJjbJyPU0GhZ0qTqKxA9H//DPDbyv680k5C25D/NLGnKypxYWUQ7dtj8mJ J+7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=qCDhhAGGUSjvEGITF78spxp0IWR6fQoLVuuSpjuaMQw=; b=GqwSheVKbsXVFo5z2A+oTQyC+eWwYjDTI4WQcd/0uoUfOOlHwau+wRwvEuovWWuQvm tvzRKx8JaLdZ37gdocVJp14726afNEeGs+qA1OA/mqnK1WqgnrPz5G7AS5UKsV76Hta+ A3+FE6A+oOgWVkvMg5eUf4eEyNh+TSqWls2ofr+c2rDEXtH70Dd/raWf2N7c1+VvmuHT BivC/Dokm7266b0g8a+S1M5bWlFBhn1cQcuwR3Cd2p/kHJ3btmLnlm03HqtNGqiaXcMt i7no1BdSCVs0xc53jFCLbST4YkDXmQS+35BlsmhPd/AaeZtIG7xWVkD81cRi2Ssi6WFM avVA== X-Gm-Message-State: AEkoouvRQ4dwb+R4iwFZ2Xui4fo6McWQhWwtANO8W7/ro7mKqLlju6chZNJI1HyOdv8uVQ== X-Received: by 10.36.31.149 with SMTP id d143mr10396671itd.87.1470500119146; Sat, 06 Aug 2016 09:15:19 -0700 (PDT) Received: from [10.0.10.3] (cpe-24-165-196-54.neo.res.rr.com. [24.165.196.54]) by smtp.googlemail.com with ESMTPSA id w138sm6283521itc.8.2016.08.06.09.15.18 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 06 Aug 2016 09:15:18 -0700 (PDT) Message-ID: <57A60D1F.80500@gmail.com> Date: Sat, 06 Aug 2016 12:15:27 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Firewalling jails and lo0 References: <20160806155411.GA5289@len-t420.klaas> In-Reply-To: <20160806155411.GA5289@len-t420.klaas> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 16:15:20 -0000 Niklaas Baudet von Gersdorff wrote: > Hi, > > In the manual I read the advice to disable the firewall on the > loopback interface (`set skip on lo0`) It makes sense to me: Why > would I want to firewall traffic on the loopback interface? > > I have jails with IPs assigned on lo1. Intentionally I do /not/ > `set skip on lo1` because I also want to restrict traffic (in and > out) from and to the jails. (In case one of them becomes > infiltrated.) > > However, today I realized that some connections originating from > these jails use the loopback interface lo0. That said, they > "circumvent" the firewall I set on lo1. `tcpdump` shows > connections on lo0 from and to jails' IPs (especially IPv6s) > although these IPs are solely assigned to lo1. > > I was quite surprised by that behavior. So, if I want to isolate > the jails and restrict traffic from an to them, will I need to > remove skipping on lo0 and block there too? > > Any advice and explanation is very much appreciated. > > Niklaas This bug report will answer your questions for non-vimage jails. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049