From owner-freebsd-pf@freebsd.org Sat Aug 6 16:54:51 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0C3ABB0447; Sat, 6 Aug 2016 16:54:51 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A98D81462; Sat, 6 Aug 2016 16:54:51 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x235.google.com with SMTP id m101so325253084ioi.2; Sat, 06 Aug 2016 09:54:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-transfer-encoding; bh=KwKHLH+GxN02OAAgvbq3a0SH2/p2UZwLyD8Jv5y2EVw=; b=EHewpkmsFYChqKM+5elNRQlGwJJX/H2lAOSrnBfE8U/uyRuHj/4qOsaDqRG6yrzf7J M5UuKS8OHkQYFURoMu1qVZkWObNnOCmjXcWzAxpqRs5/xsRjFX14iyp5W2BCqJE4QodK xugdH3+hHORq0swn+o9TOPOycrYG+zviM0761upRjHwpQgWyHM78o2eREilT02XG2/z/ 2vDsZDNfySqSILUc/vQ4LQcgABKoyPm5PDm0cp5X522dzWvTE7lOxkXWczvyalS3U0E6 pZW7eU66UP45V2Z7M7Msg60x18k5GasFypMbl9xINot16p+36t0TTkecsso0BLZQPKV6 XwBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-transfer-encoding; bh=KwKHLH+GxN02OAAgvbq3a0SH2/p2UZwLyD8Jv5y2EVw=; b=BL9n8zqv+xsBp8BqlXFkwGsu8Fh7N3Tf8Ei/kUyZioS2dgypmXZf4QTskxzDPo3yUd V2waM8GK21jr57AGr8a0uPHDntJUA3XBXC08aUa9SfIpLhV+nNA2DY0mGe5U/fmK6BBy OdDOmohpTGmzI1lxkp+/s+RpSRtXaobVI4svKrqP9PeEEH+Un9bVQ67dc3JeyXdJ3paY eI8Fkqo7VSOIuMi+GwWM0ELg0/e4ZydO3Nta8gOOKzLEFGZjhXVkTsfp7pO930ZCCd2d ehigGi6xpfJFWtL73MSicTmlggjh06EvlF6IT1yPMTTJSegn5SlnYNCiV67ltHWIJoYF TyCw== X-Gm-Message-State: AEkooutF5Jfqx3JydBNzk+pmeejf0/dmGh9Rklp81Xt8CkpObAKeRGj1/faUAjG8xf2Y+A== X-Received: by 10.107.128.200 with SMTP id k69mr101869274ioi.65.1470502490872; Sat, 06 Aug 2016 09:54:50 -0700 (PDT) Received: from [10.0.10.3] (cpe-24-165-196-54.neo.res.rr.com. [24.165.196.54]) by smtp.googlemail.com with ESMTPSA id b66sm5974719itd.0.2016.08.06.09.54.49 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 06 Aug 2016 09:54:50 -0700 (PDT) Message-ID: <57A61664.9010100@gmail.com> Date: Sat, 06 Aug 2016 12:55:00 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org, stdin@niklaas.eu Subject: Re: Firewalling jails and lo0 References: <20160806155411.GA5289@len-t420.klaas> <57A60D1F.80500@gmail.com> <20160806162343.GE5566@len-t420.klaas> In-Reply-To: <20160806162343.GE5566@len-t420.klaas> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 16:54:52 -0000 Niklaas Baudet von Gersdorff wrote: > Ernie Luzar [2016-08-06 12:15 -0400] : > >> This bug report will answer your questions for non-vimage jails. >> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049 > > Thanks a lot. So I stumbled upon a security issue? And the only > way to work around this is by using vimage jails? While vimage > refers to some virtualisation of the network /within/ the jails? > > Niklaas That is not the un-documented work around solution contained in the PR. Vimage jails are not mentioned at all. The loopback problem is isolated to non-vimage jails only. If your non-vimage jail does not contain a application that uses local host lo0/127.0.0.x then you don't need to do anything. If there is an application in your jail that uses lo0/127.0.0.x, then for that jails jail.conf definition you have to manually activate loopback by adding lo0:127.0.0.x to the jails ip4_addr parameter value alone with the jails primary IP address. Then manually change the conf file of all the applications running in that jail to use that lo0 127.0.0.x IP address. Or an alternate is to add a statement to the hosts rc.conf to clone the lo0 interface and them code as above. This means each jail has a unique loopback ip address.