From owner-freebsd-jail@FreeBSD.ORG Fri Jul 11 20:21:42 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B503FA1E for ; Fri, 11 Jul 2014 20:21:42 +0000 (UTC) Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 815D022F3 for ; Fri, 11 Jul 2014 20:21:42 +0000 (UTC) Received: by mail-ig0-f169.google.com with SMTP id r10so934932igi.0 for ; Fri, 11 Jul 2014 13:21:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oPMg666ozHK37O7p+kb8W3q5cew957vgl1ERIvCdRBs=; b=xFPsLcNCvi1ckp8alaugf2AMUiKb8hSRDipjOD/9bYARTqS2g+1HyHKAxHJRjXP84d 2RZ4Os2nrJQfk76Nsh8SZuqAgVONds7LddIjoUjRT2O2EXWI6fVga7AuapsGiIYiwXkq 6d1NWUI3yambyUyj7fYBmcAxDIQAIMfF3of15bUw5S78mk+rrs5NoTYDGQeA/bku9vp/ WZU7BaAVIInE8Ko41oD2Lr/dYyHUx/BQZL2IjJm8o2jTQt0FPB3Q5pgJdix/FqB4N+c/ fDYEmR9CDm6iXSnw+TbZJ4+Qx7sxGo+rwDmppniYsgquTnAnjZDQEkhQw02gWq3uivU9 x6ew== MIME-Version: 1.0 X-Received: by 10.42.24.9 with SMTP id u9mr5330421icb.91.1405110101962; Fri, 11 Jul 2014 13:21:41 -0700 (PDT) Received: by 10.42.168.194 with HTTP; Fri, 11 Jul 2014 13:21:41 -0700 (PDT) In-Reply-To: <53BFE796.7020502@a1poweruser.com> References: <53BFE796.7020502@a1poweruser.com> Date: Sat, 12 Jul 2014 08:21:41 +1200 Message-ID: Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? From: Peter Toth To: Fbsd8 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: Peter Ross , freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2014 20:21:42 -0000 This sounds a bit vague, can you please explain in more detail what you meant by this? IPFW works inside a vnet jail - You can manage per jail firewall instances without any issues. The only firewall which cannot function inside a jail (yet) is PF. P On Sat, Jul 12, 2014 at 1:33 AM, Fbsd8 wrote: > Peter Toth wrote: > >> Have not used natd with IPFW much as always preferred PF to do everything >> on the host. >> >> I have only a wild guess - the "me" keyword in IPFW is substituted only to >> the host's IPs known to itself. >> The host's IPFW firewall most likely doesn't know anything about IPs >> assigned to vnet interfaces inside the jail. >> >> Vnet jails behave more like separate physical hosts. >> >> Internet ---> [host] ------- (10.0.10.0 LAN) ------> [vnet jail] >> >> The PF issue inside a jail is a separate problem, PF is not fully >> VIMAGE/VNET aware as far as I know. >> >> Can someone comment on these or correct me? >> >> P >> >> >> >> On Fri, Jul 11, 2014 at 7:11 PM, Peter Ross > de> >> wrote: >> >> On Thu, 10 Jul 2014, Peter Toth wrote: >>> >>> Hi Peter, >>> >>>> Try to make these changes: >>>> >>>> net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces >>>> net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is >>>> enabled >>>> net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface >>>> net.link.bridge.pfil_member=0 # Packet filter on the member interface >>>> >>>> You can find some info >>>> here http://iocage.readthedocs.org/en/latest/help-no-internet.html >>>> >>>> I've had these issues before with PF and IPFW, by default these will be >>>> filtering on your bridge and member interfaces. >>>> >>>> Thanks. It did not change anything. >>> >>> Now, inside_ the jail I run "ipfw allow ip from any to any". >>> >>> This on the host system: >>> >>> 01000 check-state >>> 01100 allow tcp from any to any established >>> 01200 allow ip from any to any frag >>> 00100 divert 8668 ip4 from any to any via age0 >>> 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state >>> 03200 allow udp from any to me dst-port 53 keep-state >>> >>> (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53") >>> >>> If I add >>> >>> 03300 allow udp from me 53 to any >>> >>> it works.. >>> >>> So it makes me think check-state isn't usable - because >>> >>> 03200 allow udp from any to me dst-port 53 keep-state >>> >>> should cover the returning packets. >>> >>> I played with your parameters but it did not help. But thanks for the >>> idea. >>> >>> Here again the setup: >>> >>> Internet->age0(host interface with natd and external IP) >>> ->bridge10(10.0.10.254)->epair1a >>> ->epair1b(10.0.10.1 in bind vnet jail) >>> >>> I wonder what kind of restrictions exist with vnet.. it does not seem to >>> work _exactly_ as a "real" network stack (the issues with pf inside the >>> jail let me think of it too) >>> >>> Did I find a restriction, a bug - or just that I've got it wrong? >>> >>> Regards >>> Peter >>> >> > Any firewall function that runs in the kernel will not function inside of > a vnet/vimage jail. > > > >