Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 1 Jan 2009 21:50:04 GMT
From:      Remko Lodder <remko@elvandar.org>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: kern/130102: 'pfctl -d' from inside a jail disables pf on the jail host
Message-ID:  <200901012150.n01Lo4Sx022286@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/130102; it has been noted by GNATS.

From: Remko Lodder <remko@elvandar.org>
To: Stefan Hegnauer <stefan.hegnauer@gmx.ch>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/130102: 'pfctl -d' from inside a jail disables pf on the jail host
Date: Thu, 1 Jan 2009 22:49:11 +0100

 >>
 > FreeBSD jailhost.x.y.z 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #9: Wed  
 > Dec 31 09:05:43 CET 2008     root@jailhost.x.y.z:/usr/obj/usr/src/ 
 > sys/IBMT20  i386
 >> Description:
 > I have a jail host (192.168.1.10) with two jails running, webjail  
 > (192.168.1.80) and mailjail (192.168.1.25). The host uses pf for  
 > some additional protection on the single network interface facing my  
 > DMZ router, with rules for the two jailed hosts. So far everything  
 > seems to work as intended.
 > The setup of the jails is according to the descriptions in the  
 > jail(8) manual page with no deviations.
 >
 > If I use pfctl(8) as root in one of the jails it is possible to  
 > control pf(4) that runs on the host. For example I can disable pf on  
 > the host altogether using 'pfctl -d', or re-enable it again with  
 > 'pfctl -e', or load a different ruleset with 'pfctl -f <rulefile>'  
 > etc.
 > It seems that pfctl easily gets out of the jail which I did not  
 > expect, and I did also not find any reference of this behaviour in  
 > the handbook, the FAQ, the PR database or anywhere else on the net
 >> How-To-Repeat:
 > - have enabled in the kernel (device pf, device pflog)
 > - set up a jail system with at least one jail according to jail(8)  
 > man page
 > - run pf on the host, load some rules and enable pf (pfctl -ef  
 > <rule_file>)
 > - run 'pfctl -d' as root within a jail -> pf is disabled on the host  
 > (pfctl -si)
 >> Fix:
 >
 
 
 Can you perhaps tell us more about the setup you are having with the  
 jails? showing the devfs ruleset that is being used for the jails etc?
 
 Normally the /dev/pf node isn't visible in jails and this shouldn't  
 happen..
 
 Thanks,
 Remko
 
 
 -- 
 /"\   Best regards,                        | remko@FreeBSD.org
 \ /   Remko Lodder                      | remko@EFnet
 X    http://www.evilcoder.org/    |
 / \   ASCII Ribbon Campaign    | Against HTML Mail and News
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901012150.n01Lo4Sx022286>