From owner-freebsd-pf@freebsd.org Sat Aug 6 20:02:53 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F51CBB17EA; Sat, 6 Aug 2016 20:02:53 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 22133152B; Sat, 6 Aug 2016 20:02:51 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id C203525D387C; Sat, 6 Aug 2016 20:02:42 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id B01A4D1F7E4; Sat, 6 Aug 2016 20:02:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id oxKQqsQVS6P2; Sat, 6 Aug 2016 20:02:40 +0000 (UTC) Received: from [10.111.64.116] (unknown [IPv6:fde9:577b:c1a9:4410:500c:ee72:e712:5af8]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id BD7FAD1F7E3; Sat, 6 Aug 2016 20:02:39 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Niklaas Baudet von Gersdorff" Cc: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Firewalling jails and lo0 Date: Sat, 06 Aug 2016 20:02:37 +0000 Message-ID: <3C1C4822-17C2-42D9-A9BE-C3549B9B6F25@lists.zabbadoz.net> In-Reply-To: <20160806155411.GA5289@len-t420.klaas> References: <20160806155411.GA5289@len-t420.klaas> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6043) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 20:02:53 -0000 On 6 Aug 2016, at 15:54, Niklaas Baudet von Gersdorff wrote: > Hi, > > In the manual I read the advice to disable the firewall on the > loopback interface (`set skip on lo0`) It makes sense to me: Why > would I want to firewall traffic on the loopback interface? > > I have jails with IPs assigned on lo1. Intentionally I do /not/ > `set skip on lo1` because I also want to restrict traffic (in and > out) from and to the jails. (In case one of them becomes > infiltrated.) > > However, today I realised that some connections originating from > these jails use the loopback interface lo0. That said, they > "circumvent" the firewall I set on lo1. `tcpdump` shows > connections on lo0 from and to jails' IPs (especially IPv6s) > although these IPs are solely assigned to lo1. I am curious about this. Can you give me an (obfuscated) example? (if you want in private email) Are these ::1 connections, link-local addresses (unlikely as they should not be visible to jails), or full IP? And what’s the routing table entry in the base system for them? Also do these jails have multiple IP address per-address family, and especially, do they have any IP address assigned to lo0 in them at all?