From owner-freebsd-jail@freebsd.org Sun Dec 27 15:03:03 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B418A5273C; Sun, 27 Dec 2015 15:03:03 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 438B61E29; Sun, 27 Dec 2015 15:03:02 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-250-125.lns20.per4.internode.on.net [121.45.250.125]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tBRF2l0F020269 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sun, 27 Dec 2015 07:02:50 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: ipsec tunnel and vnet jails: routing, howto? To: Michael Grimm , freebsd-jail@freebsd.org, freebsd-net@freebsd.org References: From: Julian Elischer Message-ID: <567FFD92.2050909@freebsd.org> Date: Sun, 27 Dec 2015 23:02:42 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Dec 2015 15:03:03 -0000 On 27/12/2015 4:24 AM, Michael Grimm wrote: > Hi, > > I am currently stuck, somehow, and I do need your input. Thus, let me explain, what I do want to achieve: > > I do have two servers connected via an ipsec/tunnel ... > [A] dead:beef:1234:abcd::1 <—> dead:feed:abcd:1234::1 [B] > … which is sending all traffic destined for dead:beef:1234:abcd::/64 and dead:feed:abcd:1234::/64 through the tunnel, and vice versa. > > That did run perfectly well during the last years until I decided to give VNET jails a try. Previously, some of my old fashioned jails got an IPv6 address attached like dead:beef:1234:abcd:1:2::3, and I could reach that address from the remote server without any routing/re-directing or alike, necessary. Now, after having moved those jails to VNET jails (having those addresses bound to their epairXXb interfaces), I cannot reach those addresses within those jails any longer. > > >From my point of view and understanding this must have to do with lack of proper routing, but I am not sure, if that is correct, thus my questions to the experts: > > 1) Is my assumption correct, that my tunnel is "ending" after having passed my firewalls at each server, *bevor* decrypting its ESP traffic into its final destination (yes, I do have pf rules to allow for esp traffic to pass my outer internet facing interface)? > > 2) If that is true, racoon has to decide where to deliver those packets, finally? > > 3) If that is true, I do have an issue with routing that *cannot* be solved by pf firewall rules, right? > > 4) If that is true, what do I have to look for? What am I missing? How can I route incoming and finally decrypted traffic to its final destination within a VNET jail? > > 5) Do I need to look for a completely different approach? Every hint is highly welcome. basically you have to treat the jails as if they are totally separate machines that are reached through the vpn endpoints instead of being the endpoints themselves. This will require a different setup. for example your tunnel will need to be exactly that a tunnel and not just an encapsulation. And you will need full routing information for the other end at each end. > > Thanks in advance and with kind regards, > Michael > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > From owner-freebsd-jail@freebsd.org Sun Dec 27 18:14:59 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 025B3A5220F; Sun, 27 Dec 2015 18:14:59 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from mx2.enfer-du-nord.net (mx2.enfer-du-nord.net [IPv6:2001:41d0:d:3049:1:1:0:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C5B3F1F29; Sun, 27 Dec 2015 18:14:58 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from [IPv6:2003:45:486d:1001:7955:a47e:6e0f:8a19] (p20030045486D10017955A47E6E0F8A19.dip0.t-ipconnect.de [IPv6:2003:45:486d:1001:7955:a47e:6e0f:8a19]) by mx2.enfer-du-nord.net (Postfix) with ESMTPSA id 3pT9CC6YCVz9W0; Sun, 27 Dec 2015 19:14:47 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: ipsec tunnel and vnet jails: routing, howto? From: Michael Grimm In-Reply-To: <567FFD92.2050909@freebsd.org> Date: Sun, 27 Dec 2015 19:14:44 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <6BC88EA5-D440-418B-88D8-3C90EFF177E5@ellael.org> References: <567FFD92.2050909@freebsd.org> To: freebsd-jail@freebsd.org, freebsd-net@freebsd.org X-Virus-Scanned: clamav-milter 0.99 at mail X-Virus-Status: Clean X-Mailer: Apple Mail (2.2104) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Dec 2015 18:14:59 -0000 Julian Elischer wrote: >=20 > On 27/12/2015 4:24 AM, Michael Grimm wrote: >> I am currently stuck, somehow, and I do need your input. Thus, let me = explain, what I do want to achieve: >>=20 >> I do have two servers connected via an ipsec/tunnel ... >> [A] dead:beef:1234:abcd::1 <=E2=80=94> dead:feed:abcd:1234::1 = [B] >> =E2=80=A6 which is sending all traffic destined for = dead:beef:1234:abcd::/64 and dead:feed:abcd:1234::/64 through the = tunnel, and vice versa. >>=20 >> That did run perfectly well during the last years until I decided to = give VNET jails a try. Previously, some of my old fashioned jails got an = IPv6 address attached like dead:beef:1234:abcd:1:2::3, and I could reach = that address from the remote server without any routing/re-directing or = alike, necessary. Now, after having moved those jails to VNET jails = (having those addresses bound to their epairXXb interfaces), I cannot = reach those addresses within those jails any longer. >>=20 >> >=46rom my point of view and understanding this must have to do with = lack of proper routing, but I am not sure, if that is correct, thus my = questions to the experts: >>=20 >> 1) Is my assumption correct, that my tunnel is "ending" after having = passed my firewalls at each server, *bevor* decrypting its ESP traffic = into its final destination (yes, I do have pf rules to allow for esp = traffic to pass my outer internet facing interface)? >>=20 >> 2) If that is true, racoon has to decide where to deliver those = packets, finally? >>=20 >> 3) If that is true, I do have an issue with routing that *cannot* be = solved by pf firewall rules, right? >>=20 >> 4) If that is true, what do I have to look for? What am I missing? = How can I route incoming and finally decrypted traffic to its final = destination within a VNET jail? >>=20 >> 5) Do I need to look for a completely different approach? Every hint = is highly welcome. >=20 > basically you have to treat the jails as if they are totally separate = machines that are reached through the vpn endpoints instead of being the = endpoints themselves. > This will require a different setup. for example your tunnel will = need to be exactly that a tunnel and not just an encapsulation. And you = will need full routing information for the other end at each end. Thanks for your input. In the meantime I got it running, somehow. The = "somehow" refers to: I am not sure if that's the way its supposed to be. What I did (I do only show the part of host [A], the other host is = configured accordingly): 1. ipsec/tunnel between [A] dead:beef:1234:abcd::1 <=E2=80=94> = dead:feed:abcd:1234::1 [B] /path-to-racoon/setkey.conf: spdadd dead:beef:1234:abcd::/56 dead:feed:abcd:1234:1:2::3 any = -P out ipsec = esp/tunnel/dead:beef:1234:abcd::1-dead:feed:abcd:1234::1/require;=20 spdadd dead:feed:abcd:1234::/56 dead:beef:1234:abcd:1:2::3 any = -P in ipsec = esp/tunnel/dead:feed:abcd:1234::1-dead:beef:1234:abcd::1/require; 2. routing at [A]: /etc/rc.conf: ipv6_static_routes=3D"jail1"=20 # that's for the route from host system [A] into jail1 with IPv6 = address of fd00:ffff:ffff:ffff:aaaa::1 =E2=80=94> ipv6_route_mail=3D"-host dead:beef:1234:abcd:1:2::3 = -host fd00:ffff:ffff:ffff:aaaa::1" =20 /etc/jail.conf: # # host dependent global settings # $ip6prefix =3D "dead:beef:1234:abcd"; $ip6prefix_remote_host =3D "dead:feed:abcd:1234"; # # global jail settings # host.hostname =3D "${name}"; path =3D "/usr/home/jails/${name}"; mount.fstab =3D "/etc/fstab.${name}"; exec.consolelog =3D = "/var/log/jail_${name}_console.log"; vnet =3D "new"; vnet.interface =3D "epair${jailID}b"; exec.clean; mount.devfs; persist; # # network settings to apply/destroy during start/stop of every = jail # exec.prestart =3D "sleep 2"; exec.prestart +=3D "ifconfig epair${jailID} create = up"; exec.prestart +=3D "ifconfig bridge0 addm = epair${jailID}a"; exec.start =3D "/sbin/ifconfig lo0 127.0.0.1 up"; exec.start +=3D "/sbin/ifconfig epair${jailID}b = inet ${ip4_addr}"; exec.start +=3D "/sbin/ifconfig epair${jailID}b = inet6 ${ip6_addr}"; exec.start +=3D "/sbin/route add default -gateway = 10.x.x.254"; exec.start +=3D "/sbin/route add -inet6 default = -gateway fd00:ffff:ffff:ffff:aaaa::254"; exec.stop =3D "/bin/sh /etc/rc.shutdown"; exec.poststop =3D "ifconfig epair${jailID}a destroy"; # # individual jail settings # mail { $jailID =3D 1; $ip4_addr =3D 10.x.x.1; $ip6_addr =3D fd00:ffff:ffff:ffff:aaaa::1/64; exec.start +=3D "/sbin/ifconfig epair${jailID}b = inet6 ${ip6prefix}:1:2::3/56 alias"; =E2=80=94> # that's for the route to remote host = dead:feed:abcd:1234:1:2::3 at tunnel end point [B] out of jail1 exec.start +=3D "/sbin/route add -6 = ${ip6prefix_remote_host}:1:2::3 fd00:ffff:ffff:ffff:aaaa::254"; exec.start +=3D "/bin/sh /etc/rc"; } That is working well, after racoon has established the tunnel.=20 *But* unlikely what I have observed before, the very first contact to = the remote server's [B] jail out of a jail at [A] doesn't trigger racoon = to establish the tunnel. Before, that happened instantaneously, but now = I do need to to some "tricks" with ping6s and/or restarting racoon at = the host system. I haven't found out yet what the cause is =E2=80=A6 I = am sure that I need to learn much more regarding routing. Every feedback = is highly welcome. Thanks and regards, Michael From owner-freebsd-jail@freebsd.org Sat Jan 2 19:51:44 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27989A5F31C for ; Sat, 2 Jan 2016 19:51:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 16F3A1ACB for ; Sat, 2 Jan 2016 19:51:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u02JphHq089450 for ; Sat, 2 Jan 2016 19:51:43 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 202268] [jail] able to log in as root without typing the password.FreeBSD 10.1-RELEASE #0 r274401 Date: Sat, 02 Jan 2016 19:51:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: marieheleneka@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jan 2016 19:51:44 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D202268 --- Comment #4 from Marie Helene Kvello-Aune --- Created attachment 164965 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D164965&action= =3Dedit /etc/rc.d/jail core dump --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-jail@freebsd.org Sat Jan 2 19:52:14 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89D0BA5F44D for ; Sat, 2 Jan 2016 19:52:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 798641B4E for ; Sat, 2 Jan 2016 19:52:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u02JqEWt092835 for ; Sat, 2 Jan 2016 19:52:14 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 202268] [jail] able to log in as root without typing the password.FreeBSD 10.1-RELEASE #0 r274401 Date: Sat, 02 Jan 2016 19:52:14 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: marieheleneka@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jan 2016 19:52:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D202268 --- Comment #5 from Marie Helene Kvello-Aune --- I've reproduced this on 11-CURRENT (FreeBSD mpc.hjemme 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r293047M: Sat Jan 2 12:16:07 CET 2016=20=20=20=20 root@mpc.hjemme:/usr/obj/usr/src/sys/GENERIC amd64) When I press ctrl + \ while jails are being started, I see a notice about a core dump (attached) and I get the prompt to select which shell to use for single-user mode. When selecting shell, I have single-user mode on host sys= tem. This is with the default setting in /etc/ttys, where local console is considered secure. I tried pressing ctrl + \ constantly during rc.d execution but not during /etc/rc.d/jail script exectution, and this behaviour was NOT happening. It seems to be specific to the /etc/rc.d/jail script. Once I entered single-user mode, I saw all jails had started, even though t= he core dump and single-user mode happened while jail 2 out of 8 were being started. If I set local console to not be considered secure (i.e. require password to enter single-user mode), I am prompted for root password. This is definitely a bug, but considering it doesn't let you skip password = on insecure console I wouldn't consider it a security issue. Please let me know if any more details are required to solve this problem. --=20 You are receiving this mail because: You are the assignee for the bug.=