From owner-freebsd-pf@freebsd.org Wed Nov 8 08:37:57 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43AC7E715D4 for ; Wed, 8 Nov 2017 08:37:57 +0000 (UTC) (envelope-from irukandji@voidptr.eu) Received: from voidptr.eu (voidptr.eu [193.77.148.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "voidptr.eu", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BF487707F2 for ; Wed, 8 Nov 2017 08:37:56 +0000 (UTC) (envelope-from irukandji@voidptr.eu) Received: none.of.your.bussiness.com ([66.66.66.661]:1337) by dynamic-122111.voidptr.eu with esmtp Message-ID: <1510130272.4903.8.camel@voidptr.eu> Subject: Re: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1) From: irukandji To: Goran =?UTF-8?Q?Meki=C4=87?= Cc: freebsd-pf@freebsd.org Date: Wed, 08 Nov 2017 09:37:52 +0100 In-Reply-To: <20171107181806.dus6nizw3n4flr73@hal9000.meka.no-ip.org> References: <1510069428.4725.31.camel@voidptr.eu> <20171107181806.dus6nizw3n4flr73@hal9000.meka.no-ip.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2017 08:37:57 -0000 The use case is to completely isolate jail from the environment for running a honeypot, i can pf filter the traffic coming from jail to the internal network but the freebsd server that is running the jails (here as "host"), can be accessed from jail using its ip. I have tried various methods of configuring jails / pf finally even recompiling the kernel for vimage/vnet support but the problem stays. If i execute tcpdump -i vnet0:3 i can see the traffic flowing from jail ip to host but once i set up rule for blocking it, like: block quick on vnet0:3 all ...it doesnt work, the traffic passes as there would be no pf. I am missing something but i have no clue what... Thank you. On tor, 2017-11-07 at 19:18 +0100, Goran Mekić wrote: > > On Tue, Nov 07, 2017 at 04:43:48PM +0100, irukandji via freebsd-pf wrote: > > Hi Everyone, > > > > > > Problem: isolating jail away from internal network and host "hosting" > > it. > > Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE > > enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0), > > single network card on re0 > > > > > > I am unable prevent jail accessing host (192.168.1.200) for any other > > > > ip it is working, i have configured VNET just to have separated stack > > but host is still accessible from jail. > > > > Am I missing something or this is just something that cant be > > > > accomplished using pf? I am banging my head to the wall with this issue > > for past few months going radical lately (kernel recompile ;) ) > > but still without any result. > > > > Can PLEASE someone help me out? > > > > Regards, > > irukandji > > > > > > I am not sure I understand the use case. Sounds to me like you would like to be hosting provider where bare metal machine is hosting other people's jails, and you don't want those people being able to access underlaying machine. Also, when you say "jail accessing host", does that mean over SSH or something else?