From owner-freebsd-questions@freebsd.org Wed Aug 17 20:46:15 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD2F7BBD495 for ; Wed, 17 Aug 2016 20:46:15 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7CA8F17E9 for ; Wed, 17 Aug 2016 20:46:15 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it0-x22a.google.com with SMTP id n128so2277444ith.1 for ; Wed, 17 Aug 2016 13:46:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-transfer-encoding; bh=BDSaPuI1U7YRDbs90LgYBqSbG7++CZGM8Tw6UBRenpg=; b=lvEHwcYL3wk9U4NgXtObUR5KbdENH4UkVyV6gjhLrwMsJTyjVuKtdNiA6t1/vlXxUt H2Dm0MpBoJwEemd2VVImvYKPQWROHe7uEf5wyJbBxL6DQ7MBN2x41yKqOn0vo2VqIQua mM9RrYho3vnqVc1WdkrQbjsbLUJ/49JpsLBZVUeQHsqPJz69qCethdojj7DOeaemofZt ehHxeRoHXRDuT1tiONIIeVcNfptfkf6l0v9Uwxer2bRZdlhBda4f/oYIXDBTZ8Rb/Ake vRFf2woDWTCrRxPr/rQcJu7+jG1F8yXnTN+TLpEJShE/lWQ/ccZCX5m1HY0m4r8N5azU 6GIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-transfer-encoding; bh=BDSaPuI1U7YRDbs90LgYBqSbG7++CZGM8Tw6UBRenpg=; b=cpP7feL0qpYm/hHt0Rj7pTHItqU97daGGUZn8MIq7Rtx+QX8fUtTe3FwfY2Xglfqss LLpRK/PFf9GAb0OheAkTp7mYIY8U/RGiclyN5pQ/vTqcg7E/HHHqYt138urPoKQtpy4m caeZHITz2G1wQHD7TC6FH2P7MwIjULI2MJiFREGeXYKZm8OJbhnrUNQjITvM8jqqO8HE 2AR0PB+bUL5qgPoRReX6/aajzJjujpB/jspeL4KW+sjjsWONv1q4JecPUQpTKK2q43xv ssZ40pk4dLA4jMJxK3s6422HNgxYR5bf8ufQy3q8amhx6yhph3Xq8zqPZw/5b53bFxiu gwMg== X-Gm-Message-State: AEkoousuKYtF071//1pJVB7JkLLqtCooDv2fBEjCmQrua0BtYrU05bn0lGe4SYbaW+g8og== X-Received: by 10.36.184.133 with SMTP id m127mr31187139ite.90.1471466774671; Wed, 17 Aug 2016 13:46:14 -0700 (PDT) Received: from [10.0.10.3] (cpe-24-165-196-54.neo.res.rr.com. [24.165.196.54]) by smtp.googlemail.com with ESMTPSA id e6sm63038ith.0.2016.08.17.13.46.13 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 17 Aug 2016 13:46:14 -0700 (PDT) Message-ID: <57B4CD2D.5080108@gmail.com> Date: Wed, 17 Aug 2016 16:46:37 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Freebsd Questions Subject: testing 11.0-RC1 vnet jails with pf firewall Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2016 20:46:15 -0000 Hello list; Running 11.0-RC1 with only option vimage compiled into the generic kernel. PF runs fine on the host. Have pf rules to pass and log everything and I see what I exspect to see in the hosts pf log. Issuing ifconfig on the host shows pflog0: flags=141 metric 0 mtu 33184 groups: pflog I added this to the vnet jails rc.conf pf_enable="YES" pflog_enable="YES" The jail.conf for the vnet jail has devfsrule # 6 which contains this [devfsrules_vjail_pf=6] add include $devfsrules_jail add path pf unhide add path pfsync unhide add path pflog unhide When I start the vnet jail it comes up just fine. Issuing ifconfig from within the vnet jail shows pflog0: flags=0<> metric 0 mtu 33184 groups: pflog You can see pflog0 has been created but not running. There is no /var/log/pflog file in the vnet jail. Issuing the "pfctl -sr -vv" command from within the vnet jail shows No ALTQ support in kernel ALTQ related functions disabled @0 pass log (all) quick on epair2b all flags S/SA keep state [ Evaluations: 11 Packets: 55 Bytes: 8366 States: 0 ] [ Inserted: uid 0 pid 2561 State Creations: 11 ] I can ping the public from within the vnet jail. These limited signs seem to indicate the pf firewall is working in some limited way in the vnet jail. The real problem is with pf logging. There is none. The single pass rule that runs in the vnet jail should be generating log data from the ipv4 pings I do and whois packets. There is even nothing in the hosts pf log. The only things I see in the hosts pf log are ipv6 ping6 multacasts and ipv6 dns inquire requests going out the hosts external interface. The vimage literature talks about unique firewalls per vnet jail. To me that translates into the firewall generating logs in the vnet jail directory tree. I rebooted the host and used a kernel compiled with vimage and pf. Got same results. Suggesting about what I can try to get logging working in the vnet jail so it logs to the vnet jails directory tree sure would be apprehended. Thanks