Date: Tue, 16 Aug 2016 21:05:28 -0400 From: Ernie Luzar <luzar722@gmail.com> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: CyberLeo Kitsana <cyberleo@cyberleo.net>, "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>, Freebsd Questions <FreeBSD-questions@freebsd.org>, krad <kraduk@gmail.com>, James Gritton <jamie@freebsd.org> Subject: Re: testing 11.0-RC1 vnet jails with ipfilter Message-ID: <57B3B858.4000707@gmail.com> In-Reply-To: <89E52542-8E6B-4BA6-921E-E939A3F3A038@lists.zabbadoz.net> References: <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> <CALfReyeR_4pM6FsrFZxTbHNoC1_yd3SZW72Ze9Bo354itzEgWQ@mail.gmail.com> <F610E6D1-6622-4E15-98B4-F7AD58EEA9CF@lists.zabbadoz.net> <57B375C6.9030500@gmail.com> <b640b4fa-ba88-9fde-41a0-339d9d4a897b@cyberleo.net> <89E52542-8E6B-4BA6-921E-E939A3F3A038@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Bjoern A. Zeeb wrote: > On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote: > >> On 08/16/2016 03:21 PM, Ernie Luzar wrote: >> <snip> >>> Issuing "ipf -FS -Fa" command from within the vnet jail gives this >>> message, "open device:no such file or directory. User kernel version >>> check failed. >> >> According to ipf(8), the ipfilter utilities touch /dev/ipauth , /dev/ipl >> , and /dev/ipstate . Have you checked that the devfs ruleset applied to >> your jail has those unhidden? >> >>> Issuing "ipfstat -hnio command from within the vnet jail gives this >>> message, open(IPSTATE_NAME):no such file or directory. >> >> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be a >> bad idea. > > /dev/kmem is a bad idea; I should go and check what it is using it for > and if needed we should fix that. > > > I guess the general thing is that we might want to create another > default set of devfs rules which include additional nodes we now > consider safe inside VNET jails; the jail.conf still needs to know the > right ruleset to apply, so the jail.conf would need to specify the other > devfs_ruleset=“..” for vnet jails. Maybe Jamie could then come up with > an intelligent solution that would automatically flip things if option > vnet is set? I guess jail.conf(5) will need more examples for these > things as well. > > > /bz > If thats the road you are thinking of going down, then we have to look at the big picture. Is another rule set say number 5 that includes rule set number 4 plus the nodes for ipfilter, pf, and ipfw. Or maybe a separate rule set for each firewall which is more secure. There is no way jail(8) could know which firewall if any was going to be run in the vnet jail to select the correct rule if there were separate rules for each firewall. A combined rule set containing everything needed for all 3 firewalls would be something jail(8) could auto default to if vnet option was coded. In light of 11.0 release being published soon there should be something posted to the release notes talking about this with sample code for a combined rule #5. This would give vnet users a copy & paste solution to use until jail(8) gets updated in 11.1. I tried this rule set in /etc/devfs.rules [devfsrules_jail=5] add include $devfsrules_jail add path /dev/ipl unhide add path /dev/ipauth unhide add path /dev/ipstate unhide Boot time get error message that this was invalid. If I could get a correct syntax combined rule #5 file, I could continue testing all 3 firewalls using 11.0-RC1. Your help would be greatly appreciated.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57B3B858.4000707>