From owner-freebsd-jail@freebsd.org Fri Nov 2 16:50:53 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CC5510FCEF2; Fri, 2 Nov 2018 16:50:53 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it1-x129.google.com (mail-it1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B699F742C9; Fri, 2 Nov 2018 16:50:52 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it1-x129.google.com with SMTP id h13so4033295itl.1; Fri, 02 Nov 2018 09:50:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:subject :content-transfer-encoding; bh=W63XOHmduI0iYwj0PWksCqzFJ8C45UgbraxZl9+5lzM=; b=Cg15DRbklR4/prG9dwUhkCPrfpZMV9xpi6pNK6I0SLOqUxK8miZn8wIpRWRntaTT3R dLm6BbX2bJ5sQnNgm79sORHYa+Q/4unBX5HHkkMbcNVK/nPRiYlL+TLx3LfNtV7fUQOx blhRXfFvJhBMuTuxHrGUR4GVLGYhULuDK1uciyoQozmZ+GgaoTL/nyu/lWA7aOQOK1eL BdYeRoVUlq6zyoXkjtp3L1mfnZhQwPkjEcNLVPMduVGGN3mOC4LeUvVgx40jgk7hLlzm otLYJ8UWJ6lOk9JucCM1fz8SCmFQy6bXphDi2vBavkyI/dAK1zQaXwb/37lgl6ejvmX5 U15w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-transfer-encoding; bh=W63XOHmduI0iYwj0PWksCqzFJ8C45UgbraxZl9+5lzM=; b=KB1WZC0bQRnrlpQ/1k6ViHJGLDJyqB/OFWMqpR3dR8R/CwsRH/GjTMu3/V+s0viM2S D+bOctlDUJfLS64elDGB+3vGBM5xI/LmfqAEZKiCUEge0nI3TqIsWQlYpskA2w/BPx8V F8HyPm5NOPcmJTgu666l5Mjw9CPxHJJbtcEiPZI51m3x+mtAruKwa7/zYTZbVaUTAE6y KCyuUuPWICd31FBhBF924YuwdePz7b4AqdWsjlVUWkmtuKw1O+8kuxiGsic58kNH1FJN uFJ/WDFfb7dSoQsUeYhjSFRQ5Cl1ps+1N9kNI7POOH+ySp67bPE+DKpekYczer8I9DAO 1TeA== X-Gm-Message-State: AGRZ1gKqReuitOmz9kTVkkwMdcVcUmQk9F0GaUVi2TEcjcfE02nhLjU4 eIOoRLbN6s4vaZLssErK0fSSXRmF X-Google-Smtp-Source: AJdET5f2FPafyMlK6WNZyKICKBhekSr0mjLi7enfxbvcOoVcJeCIYryokJd0LNzrohiObvXBPc9VFQ== X-Received: by 2002:a02:b4b0:: with SMTP id k45-v6mr6546299jaj.48.1541177451703; Fri, 02 Nov 2018 09:50:51 -0700 (PDT) Received: from [10.0.10.7] (cpe-65-25-48-31.neo.res.rr.com. [65.25.48.31]) by smtp.googlemail.com with ESMTPSA id x25-v6sm9404968iob.84.2018.11.02.09.50.50 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 02 Nov 2018 09:50:50 -0700 (PDT) Message-ID: <5BDC8067.40802@gmail.com> Date: Fri, 02 Nov 2018 12:50:47 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: FreeBSD current , "freebsd-questions@freebsd.org" , "freebsd-jail@freebsd.org" Subject: 12.0 betaX with vnet.pf Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Nov 2018 16:50:53 -0000 Hello lists: With 12.0, vimage is now included with the system base kernel and the pfctl program has been worked on so it will function in a vnet jail. While 12.0 is still in the beta releases i am trying to test this new environment. All ready found bug dealing with ipfilter running on host with pf trying to be loaded. This bug is suppose to be fixed in beta3. Having trouble setting up a vnet jail with pf firewall. My setup = host running pf with pass all and log all rules on the interface facing the public internet. vnet jail has complete directory tree. pf is started by vnet jail's rc.conf pf option statements. pf rules use macro containing the epair2b as interface name. pflog needs devfs_ruleset to unhide pflog. use bridge/epair for networking. can ping 10.0.10.2 on host from vnet jail. Having these problems pf log inside of vnet jail not being populated pf nat rule causing rule set error can not ping public internet from vnet jail. ftpproxy rule error. Has anyone been able to get a 12.0 vnet/pf environment working? Would anyone be willing to help me get my setup working?