From owner-freebsd-pf@freebsd.org Tue Nov 7 18:26:48 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 987C2E610A0 for ; Tue, 7 Nov 2017 18:26:48 +0000 (UTC) (envelope-from meka@tilda.center) Received: from mail.tilda.center (tilda.center [45.77.138.211]) by mx1.freebsd.org (Postfix) with ESMTP id 6418D7E16F for ; Tue, 7 Nov 2017 18:26:48 +0000 (UTC) (envelope-from meka@tilda.center) Received: from hal9000.meka.no-ip.org (unknown [87.116.179.153]) by mail.tilda.center (Postfix) with ESMTPSA id 7073316538; Tue, 7 Nov 2017 19:18:07 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tilda.center; s=mail; t=1510078687; bh=v+agXnF3gRBwCDdqnhArHobCsZAvAqAWHSTjPqB8jE8=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=E7nS3ouVkBoydr80Gv33XGQR2tnxU1raZTJvtIDW6Gf2cPbUQWaHpqPdDbeS+33V/ gIqEFeV8uxquTfos6a3CZX89x/3mU3UrQQFsJOBkiho90jb1HQnA1VQWWPOG5PZbvy hVVbBjkiJLhDJ5PygYxy7MaaoXBm7Mi7SfHzSleo= Date: Tue, 7 Nov 2017 19:18:06 +0100 From: Goran =?utf-8?B?TWVracSH?= To: irukandji Cc: freebsd-pf@freebsd.org Subject: Re: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1) Message-ID: <20171107181806.dus6nizw3n4flr73@hal9000.meka.no-ip.org> References: <1510069428.4725.31.camel@voidptr.eu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="whliyqfl7jbg5ktj" Content-Disposition: inline In-Reply-To: <1510069428.4725.31.camel@voidptr.eu> User-Agent: NeoMutt/20171027 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Nov 2017 18:26:48 -0000 --whliyqfl7jbg5ktj Content-Type: text/plain; charset=utf-8 Content-Disposition: inline On Tue, Nov 07, 2017 at 04:43:48PM +0100, irukandji via freebsd-pf wrote: > Hi Everyone, > > Problem: isolating jail away from internal network and host "hosting" > it. > Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE > enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0), > single network card on re0 > > I am unable prevent jail accessing host (192.168.1.200) for any other > ip it is working, i have configured VNET just to have separated stack > but host is still accessible from jail. > > Am I missing something or this is just something that cant be > accomplished using pf? I am banging my head to the wall with this issue > for past few months going radical lately (kernel recompile ;) ) > but still without any result. > > Can PLEASE someone help me out? > > Regards, > irukandji I am not sure I understand the use case. Sounds to me like you would like to be hosting provider where bare metal machine is hosting other people's jails, and you don't want those people being able to access underlaying machine. Also, when you say "jail accessing host", does that mean over SSH or something else? --whliyqfl7jbg5ktj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAloB+NsACgkQWj1Tknov rLZPEhAAgU+PKkDOqwS59bZFAmN7HyoODyuy7zS7rJCFRI1nzlU2MZ107Uu6CEs9 S1kcIjmmEgAVwsgx65wa6dgoXMAQh0c3P5ROVjXsw4tnmgAIxQ93hJKBV2A0xAvq nn/XKyqQ68HLRiFP35oqcr+UCMvGqcg+GBMsBh2fzyLS8LWnQuMCbQK18frfKxtV 1HsQr2tlgXJYPbZiY1MgqTwVPvbl/H4ehZU+2uBGjdykhizrmTTa4+Ha3NCVs7YR p9m/DpHVHaaiSha8IIl8B9BvhpJqz8MOOujVNFDRbaYMitsSuhD849mndICGCl36 lTA35yARb+7nk894o9dqWFiaoFkiL5oWfVBElxJgcCkYnQTCH2EkIYiDcWsJdkPI JMeetlMljn+fdc+x9zXKa4w7gKLmk+6pQJdVH8/WyL2nZ/RzjyFKeU8xFTvocGci 55VscBdN6UC7rrCiBy3rJ+rwDllfLE0ggNYpv0iiia+BGsztACXsZhi4UeYV+tBV crYZm6vQ1GgmVgTyk6k1+dHaJHiXm9Rpsh47Bc1WRIc5kk2ei0wD8xG5ZXxkJWnA reG/pDnmla5qeR4H7te2bO0K15vY7VpRWfczvaEQcy+0vpl7mCs0NYFTqNZvVk2+ 2fS9Fj3cC7ISQ3aM7dg7ZMhOWNT+JvXp3B6vlr3cJn1TwEQaxLQ= =eLgb -----END PGP SIGNATURE----- --whliyqfl7jbg5ktj--