Date: Sat, 30 Sep 2017 10:38:58 +0000 From: Andrew Hotlab <andrew.hotlab@hotmail.com> To: =?iso-8859-2?Q?Marko_Cupa=E6?= <marko.cupac@mimar.rs>, "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org> Subject: RE: setfib (ez)jails and wierd routing Message-ID: <AM3PR02MB31250DCB6D22C712457C38EF67F0@AM3PR02MB312.eurprd02.prod.outlook.com> In-Reply-To: <20170929103258.2f912308@efreet-freebsd.kappastar.com> References: <20170929103258.2f912308@efreet-freebsd.kappastar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Marko. I'm running an almost identical setup, but I do not have this iss= ue: ICMP echo reply packets are sent from the right interface. The only difference is that I didn't defined additional lo1 and lo2 interfa= ces, but I guess it shouldn't be the cause. I'm running releng/10.3. Which release are you working on? Andrew ________________________________________ From: owner-freebsd-jail@freebsd.org [owner-freebsd-jail@freebsd.org] on be= half of Marko Cupa=E6 [marko.cupac@mimar.rs] Sent: Friday, September 29, 2017 10:32 AM To: freebsd-jail@freebsd.org Subject: setfib (ez)jails and wierd routing Hi, I notice wierd routing in my setfib (ez)jails setup. I have a server with multiple NICs. setfib should ensure that LAN jails (setfib 1) can not talk to DMZ jails (setfib 2) over loopbacks, but need to go through firewalls as though they were physical boxes. pacija@warden3:~ % sudo setfib 1 netstat -rn Routing tables (fib: 1) Internet: Destination Gateway Flags Netif Expire default 10.30.19.190 UGS bce0 10.30.19.160/27 00:1c:c4:de:0a:86 US bce0 127.0.0.1 lo0 UHS lo0 127.0.1.0/24 lo1 US lo1 pacija@warden3:~ % sudo setfib 2 netstat -rn Routing tables (fib: 2) Internet: Destination Gateway Flags Netif Expire default 193.53.106.254 UGS bce1 127.0.0.1 lo0 UHS lo0 127.0.2.0/24 lo2 US lo2 193.53.106.0/24 00:1c:c4:de:0a:84 US bce1 Host has the same default route as fib 1: pacija@warden3:~ % sudo netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 10.30.19.190 UGS bce0 ... If I ssh from the Internet into DMZ jail, everything works as expected. But if I ping DMZ jail from the Internet, I see reply packets leaving not the interface they came from (bce1, public address space, DMZ), but another one (bce0, private address space, LAN). This is kinda understandable, because jail on fib2 does not have ICMP enabled, so it is not DMZ jail, but the host (which is in fib 0) who replies to packets via its default gateway (router on a private LAN). Is there an easy and elegant way to solve this? Like binding IP address to fib? I wouldn't like to have to fire up pf on host and meddle with reply-to rules in order to achieve this, I'd rather revert to old setup of separate physical servers for each network. Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupa=E6 https://www.mimar.rs/ _______________________________________________ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AM3PR02MB31250DCB6D22C712457C38EF67F0>