From owner-freebsd-bugs@FreeBSD.ORG Thu Jan 1 21:50:05 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 28711106564A for ; Thu, 1 Jan 2009 21:50:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 144018FC08 for ; Thu, 1 Jan 2009 21:50:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n01Lo4O1022287 for ; Thu, 1 Jan 2009 21:50:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n01Lo4Sx022286; Thu, 1 Jan 2009 21:50:04 GMT (envelope-from gnats) Date: Thu, 1 Jan 2009 21:50:04 GMT Message-Id: <200901012150.n01Lo4Sx022286@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Remko Lodder Cc: Subject: Re: kern/130102: 'pfctl -d' from inside a jail disables pf on the jail host X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Remko Lodder List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jan 2009 21:50:05 -0000 The following reply was made to PR kern/130102; it has been noted by GNATS. From: Remko Lodder To: Stefan Hegnauer Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/130102: 'pfctl -d' from inside a jail disables pf on the jail host Date: Thu, 1 Jan 2009 22:49:11 +0100 >> > FreeBSD jailhost.x.y.z 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #9: Wed > Dec 31 09:05:43 CET 2008 root@jailhost.x.y.z:/usr/obj/usr/src/ > sys/IBMT20 i386 >> Description: > I have a jail host (192.168.1.10) with two jails running, webjail > (192.168.1.80) and mailjail (192.168.1.25). The host uses pf for > some additional protection on the single network interface facing my > DMZ router, with rules for the two jailed hosts. So far everything > seems to work as intended. > The setup of the jails is according to the descriptions in the > jail(8) manual page with no deviations. > > If I use pfctl(8) as root in one of the jails it is possible to > control pf(4) that runs on the host. For example I can disable pf on > the host altogether using 'pfctl -d', or re-enable it again with > 'pfctl -e', or load a different ruleset with 'pfctl -f ' > etc. > It seems that pfctl easily gets out of the jail which I did not > expect, and I did also not find any reference of this behaviour in > the handbook, the FAQ, the PR database or anywhere else on the net >> How-To-Repeat: > - have enabled in the kernel (device pf, device pflog) > - set up a jail system with at least one jail according to jail(8) > man page > - run pf on the host, load some rules and enable pf (pfctl -ef > ) > - run 'pfctl -d' as root within a jail -> pf is disabled on the host > (pfctl -si) >> Fix: > Can you perhaps tell us more about the setup you are having with the jails? showing the devfs ruleset that is being used for the jails etc? Normally the /dev/pf node isn't visible in jails and this shouldn't happen.. Thanks, Remko -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News