Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Jan 2009 21:17:03 GMT
From:      Stefan Hegnauer <stefan.hegnauer@gmx.ch>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/130102: 'pfctl -d' from inside a jail disables pf on the jail host
Message-ID:  <200901012117.n01LH3RO045314@www.freebsd.org>
Resent-Message-ID: <200901012120.n01LK1Kr099652@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         130102
>Category:       kern
>Synopsis:       'pfctl -d' from inside a jail disables pf on the jail host
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 01 21:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Stefan Hegnauer
>Release:        7.1-PRERELEASE #9
>Organization:
>Environment:
FreeBSD jailhost.x.y.z 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #9: Wed Dec 31 09:05:43 CET 2008     root@jailhost.x.y.z:/usr/obj/usr/src/sys/IBMT20  i386
>Description:
I have a jail host (192.168.1.10) with two jails running, webjail (192.168.1.80) and mailjail (192.168.1.25). The host uses pf for some additional protection on the single network interface facing my DMZ router, with rules for the two jailed hosts. So far everything seems to work as intended.
The setup of the jails is according to the descriptions in the jail(8) manual page with no deviations.

If I use pfctl(8) as root in one of the jails it is possible to control pf(4) that runs on the host. For example I can disable pf on the host altogether using 'pfctl -d', or re-enable it again with 'pfctl -e', or load a different ruleset with 'pfctl -f <rulefile>' etc. 
It seems that pfctl easily gets out of the jail which I did not expect, and I did also not find any reference of this behaviour in the handbook, the FAQ, the PR database or anywhere else on the net
>How-To-Repeat:
- have enabled in the kernel (device pf, device pflog)
- set up a jail system with at least one jail according to jail(8) man page
- run pf on the host, load some rules and enable pf (pfctl -ef <rule_file>)
- run 'pfctl -d' as root within a jail -> pf is disabled on the host (pfctl -si)
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901012117.n01LH3RO045314>