Date: Wed, 17 Aug 2016 09:22:44 +0200 From: Lars Engels <lars.engels@0x20.net> To: Ernie Luzar <luzar722@gmail.com> Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, CyberLeo Kitsana <cyberleo@cyberleo.net>, "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>, Freebsd Questions <FreeBSD-questions@freebsd.org>, James Gritton <jamie@freebsd.org>, krad <kraduk@gmail.com> Subject: Re: testing 11.0-RC1 vnet jails with ipfilter Message-ID: <20160817072244.GO18643@e-new.0x20.net> In-Reply-To: <57B3B858.4000707@gmail.com> References: <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> <CALfReyeR_4pM6FsrFZxTbHNoC1_yd3SZW72Ze9Bo354itzEgWQ@mail.gmail.com> <F610E6D1-6622-4E15-98B4-F7AD58EEA9CF@lists.zabbadoz.net> <57B375C6.9030500@gmail.com> <b640b4fa-ba88-9fde-41a0-339d9d4a897b@cyberleo.net> <89E52542-8E6B-4BA6-921E-E939A3F3A038@lists.zabbadoz.net> <57B3B858.4000707@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--f0PSjARDFl/vfYT5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 16, 2016 at 09:05:28PM -0400, Ernie Luzar wrote: > Bjoern A. Zeeb wrote: > > On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote: > >=20 > >> On 08/16/2016 03:21 PM, Ernie Luzar wrote: > >> <snip> > >>> Issuing "ipf -FS -Fa" command from within the vnet jail gives this > >>> message, "open device:no such file or directory. User kernel version > >>> check failed. > >> > >> According to ipf(8), the ipfilter utilities touch /dev/ipauth , /dev/i= pl > >> , and /dev/ipstate . Have you checked that the devfs ruleset applied to > >> your jail has those unhidden? > >> > >>> Issuing "ipfstat -hnio command from within the vnet jail gives this > >>> message, open(IPSTATE_NAME):no such file or directory. > >> > >> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be= a > >> bad idea. > >=20 > > /dev/kmem is a bad idea; I should go and check what it is using it for= =20 > > and if needed we should fix that. > >=20 > >=20 > > I guess the general thing is that we might want to create another=20 > > default set of devfs rules which include additional nodes we now=20 > > consider safe inside VNET jails; the jail.conf still needs to know the= =20 > > right ruleset to apply, so the jail.conf would need to specify the othe= r=20 > > devfs_ruleset=3D=E2=80=9C..=E2=80=9D for vnet jails. Maybe Jamie could= then come up with=20 > > an intelligent solution that would automatically flip things if option= =20 > > vnet is set? I guess jail.conf(5) will need more examples for these= =20 > > things as well. > >=20 > >=20 > > /bz > >=20 >=20 > If thats the road you are thinking of going down, then we have to look=20 > at the big picture. Is another rule set say number 5 that includes rule= =20 > set number 4 plus the nodes for ipfilter, pf, and ipfw. Or maybe a=20 > separate rule set for each firewall which is more secure. >=20 > There is no way jail(8) could know which firewall if any was going to be= =20 > run in the vnet jail to select the correct rule if there were separate=20 > rules for each firewall. A combined rule set containing everything=20 > needed for all 3 firewalls would be something jail(8) could auto default= =20 > to if vnet option was coded. >=20 > In light of 11.0 release being published soon there should be something= =20 > posted to the release notes talking about this with sample code for a=20 > combined rule #5. This would give vnet users a copy & paste solution to= =20 > use until jail(8) gets updated in 11.1. >=20 > I tried this rule set in /etc/devfs.rules >=20 > [devfsrules_jail=3D5] > add include $devfsrules_jail > add path /dev/ipl unhide > add path /dev/ipauth unhide > add path /dev/ipstate unhide I think you have to remove '/dev/' >=20 > Boot time get error message that this was invalid. >=20 > If I could get a correct syntax combined rule #5 file, I could continue= =20 > testing all 3 firewalls using 11.0-RC1. >=20 > Your help would be greatly appreciated. >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" --f0PSjARDFl/vfYT5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQF8BAEBCgBmBQJXtBDEXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4RjQwMDE3RTRERjUzMTI1N0FGRTUxNDlF NTRDQjM3RDNBMDg5RDZEAAoJEOVMs306CJ1t17IH/RN4z88uvgE1bZr4DsDYS1We LMfGoKzqJKW5tcWdpwBENXo3N03ZF1HrwZntdeklDG2GZz27uVhgsW9W2Gk5qYwl PL9BCfzSrJPOeU4M0soojIioGFqrTMBdZgjOdz/pjMMaXKz+PlpBFNoPCZeRVY+o haq790satiGhymUGkMFzv48ckle7xRUbVwvfE8fxSoFJE8LD/FnBXLddUq1EfPXy gd16CvI3SSnrZsXKWZhRy9k5CgJ+wikqBXz57pFpImQZTU23Hxu54cVZ+k+8wv/y k+ikar/FoCRdjd04nHFOedWIq2nuovsCP2E5noDfxnrn+c9x+Vu1uIasoLpnfqg= =OR/x -----END PGP SIGNATURE----- --f0PSjARDFl/vfYT5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160817072244.GO18643>