Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 17 Aug 2016 09:22:44 +0200
From:      Lars Engels <lars.engels@0x20.net>
To:        Ernie Luzar <luzar722@gmail.com>
Cc:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, CyberLeo Kitsana <cyberleo@cyberleo.net>, "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>, Freebsd Questions <FreeBSD-questions@freebsd.org>, James Gritton <jamie@freebsd.org>, krad <kraduk@gmail.com>
Subject:   Re: testing 11.0-RC1 vnet jails with ipfilter
Message-ID:  <20160817072244.GO18643@e-new.0x20.net>
In-Reply-To: <57B3B858.4000707@gmail.com>
References:  <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> <CALfReyeR_4pM6FsrFZxTbHNoC1_yd3SZW72Ze9Bo354itzEgWQ@mail.gmail.com> <F610E6D1-6622-4E15-98B4-F7AD58EEA9CF@lists.zabbadoz.net> <57B375C6.9030500@gmail.com> <b640b4fa-ba88-9fde-41a0-339d9d4a897b@cyberleo.net> <89E52542-8E6B-4BA6-921E-E939A3F3A038@lists.zabbadoz.net> <57B3B858.4000707@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--f0PSjARDFl/vfYT5
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Aug 16, 2016 at 09:05:28PM -0400, Ernie Luzar wrote:
> Bjoern A. Zeeb wrote:
> > On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote:
> >=20
> >> On 08/16/2016 03:21 PM, Ernie Luzar wrote:
> >> <snip>
> >>> Issuing "ipf -FS -Fa" command from within the vnet jail gives this
> >>> message, "open device:no such file or directory. User kernel version
> >>> check failed.
> >>
> >> According to ipf(8), the ipfilter utilities touch /dev/ipauth , /dev/i=
pl
> >> , and /dev/ipstate . Have you checked that the devfs ruleset applied to
> >> your jail has those unhidden?
> >>
> >>> Issuing "ipfstat -hnio command from within the vnet jail gives this
> >>> message, open(IPSTATE_NAME):no such file or directory.
> >>
> >> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be=
 a
> >> bad idea.
> >=20
> > /dev/kmem is a bad idea;  I should go and check what it is using it for=
=20
> > and if needed we should fix that.
> >=20
> >=20
> > I guess the general thing is that we might want to create another=20
> > default set of devfs rules which include additional nodes we now=20
> > consider safe inside VNET jails;  the jail.conf still needs to know the=
=20
> > right ruleset to apply, so the jail.conf would need to specify the othe=
r=20
> > devfs_ruleset=3D=E2=80=9C..=E2=80=9D for vnet jails.  Maybe Jamie could=
 then come up with=20
> > an intelligent solution that would automatically flip things if option=
=20
> > vnet is set?   I guess jail.conf(5) will need more examples for these=
=20
> > things as well.
> >=20
> >=20
> > /bz
> >=20
>=20
> If thats the road you are thinking of going down, then we have to look=20
> at the big picture. Is another rule set say number 5 that includes rule=
=20
> set number 4 plus the nodes for ipfilter, pf, and ipfw. Or maybe a=20
> separate rule set for each firewall which is more secure.
>=20
> There is no way jail(8) could know which firewall if any was going to be=
=20
> run in the vnet jail to select the correct rule if there were separate=20
> rules for each firewall. A combined rule set containing everything=20
> needed for all 3 firewalls would be something jail(8) could auto default=
=20
> to if vnet option was coded.
>=20
> In light of 11.0 release being published soon there should be something=
=20
> posted to the release notes talking about this with sample code for a=20
> combined rule #5. This would give vnet users a copy & paste solution to=
=20
> use until jail(8) gets updated in 11.1.
>=20
> I tried this rule set in /etc/devfs.rules
>=20
> [devfsrules_jail=3D5]
> add include $devfsrules_jail
> add path /dev/ipl unhide
> add path /dev/ipauth unhide
> add path /dev/ipstate unhide

I think you have to remove '/dev/'
>=20
> Boot time get error message that this was invalid.
>=20
> If I could get a correct syntax combined rule #5 file, I could continue=
=20
>   testing all 3 firewalls using 11.0-RC1.
>=20
> Your help would be greatly appreciated.
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
> _______________________________________________
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"

--f0PSjARDFl/vfYT5
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQF8BAEBCgBmBQJXtBDEXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4RjQwMDE3RTRERjUzMTI1N0FGRTUxNDlF
NTRDQjM3RDNBMDg5RDZEAAoJEOVMs306CJ1t17IH/RN4z88uvgE1bZr4DsDYS1We
LMfGoKzqJKW5tcWdpwBENXo3N03ZF1HrwZntdeklDG2GZz27uVhgsW9W2Gk5qYwl
PL9BCfzSrJPOeU4M0soojIioGFqrTMBdZgjOdz/pjMMaXKz+PlpBFNoPCZeRVY+o
haq790satiGhymUGkMFzv48ckle7xRUbVwvfE8fxSoFJE8LD/FnBXLddUq1EfPXy
gd16CvI3SSnrZsXKWZhRy9k5CgJ+wikqBXz57pFpImQZTU23Hxu54cVZ+k+8wv/y
k+ikar/FoCRdjd04nHFOedWIq2nuovsCP2E5noDfxnrn+c9x+Vu1uIasoLpnfqg=
=OR/x
-----END PGP SIGNATURE-----

--f0PSjARDFl/vfYT5--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160817072244.GO18643>