From owner-freebsd-questions@freebsd.org  Fri Jul 17 12:46:10 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 132793644BB;
 Fri, 17 Jul 2020 12:46:10 +0000 (UTC)
 (envelope-from luzar722@gmail.com)
Received: from mail-qk1-x741.google.com (mail-qk1-x741.google.com
 [IPv6:2607:f8b0:4864:20::741])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4B7W814CgXz41wV;
 Fri, 17 Jul 2020 12:46:09 +0000 (UTC)
 (envelope-from luzar722@gmail.com)
Received: by mail-qk1-x741.google.com with SMTP id b185so8583415qkg.1;
 Fri, 17 Jul 2020 05:46:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=message-id:date:from:user-agent:mime-version:to:subject:references
 :in-reply-to:content-transfer-encoding;
 bh=gPA+tKFYP2hBRc6WnYLOWfhCRggyBeoS6G5xnJ73gF0=;
 b=MvZp6VGJM44reysiUfEovSIq3YuS366BP61AHkA/uOpxthSpZ0d1lNZ9YUsTw8rwXH
 6YoiW7z7SVOl+64iXFWEWQirofHuKFr1qI9+PT4yf8IwlOlkxMrPQijraSq7T+VcT7bR
 3tiZagT/Xj7DcDAgGeqZB65d7MT/G+WuANKPk85NbM+Bxi+t2IDl5x+5L9nRL8yZrtBm
 3nrhymbq56SCFt0xzEh6rGMIZNtl+kk60uD2E5bgTcgBtI6BIPrTL3TQwr1HB6OSo+f2
 n2DqufmAgLsOK4oTo1ZQet0GG1R7ys2odhPLDNq0fEXR8jHv+3IEKKRcGva8fY0Dolot
 npkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
 :subject:references:in-reply-to:content-transfer-encoding;
 bh=gPA+tKFYP2hBRc6WnYLOWfhCRggyBeoS6G5xnJ73gF0=;
 b=AUjpa7FJEr12G0HTLm7yWXuXd6wSarVDGv7IwqOvqPeOuqEua2QOj9kztn2KYHrBRf
 yrREIN7K97o+gpK8DfUks/rptV9uj2gk5A/EZvsFr0CIWWifo71nkZAapusTK8fJIN1m
 Q0ne5+pDQr6TtSpa0zylRLUv3THvzw91Sx8057jypvVaPeUuCWbTbsTJZnD16lIIcXKz
 pYmLej0V6CppuQJe35Yg27QRUn2nIBWMS01UPPNHHgtxXct28MdRA+1CCXkfcFm8WDMf
 kHtlKbvmA9M7WuGIJpKc6UUjHFARsZFZj/EzyWZ+A5WJ6nIRS1fqFOc+eJvx/OrO7ddV
 SHLQ==
X-Gm-Message-State: AOAM532HQN34l6QUtvHEQWjsCPvf+4G3hI3BPOdv6SwN0b4zboTnNX/D
 XITcucgB7tzlKZQG0b/j5rDQBExp
X-Google-Smtp-Source: ABdhPJwm8hhsxClwrNC3fJDSWgEe3IOrdT2HyfcajyHUj8FTYQ40OdjPxX4fuo6OKbBiTk/+pJqCfw==
X-Received: by 2002:a37:345:: with SMTP id 66mr8218543qkd.272.1594989968559;
 Fri, 17 Jul 2020 05:46:08 -0700 (PDT)
Received: from [10.0.10.8] (cpe-65-25-51-0.neo.res.rr.com. [65.25.51.0])
 by smtp.googlemail.com with ESMTPSA id f54sm12160030qte.76.2020.07.17.05.46.07
 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Fri, 17 Jul 2020 05:46:08 -0700 (PDT)
Message-ID: <5F119D8F.7030407@gmail.com>
Date: Fri, 17 Jul 2020 08:46:07 -0400
From: Ernie Luzar <luzar722@gmail.com>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, 
 "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>,
 David Mehler <dave.mehler@gmail.com>, Ernie Luzar <luzar722@gmail.com>
Subject: vnet jail for local only or public access
References: <CAPORhP5+Q8TX_DuwbdAfvqf97pX=SCRfgyOz+zvMqPdnJ2gmYA@mail.gmail.com>
 <CAPORhP6a=3+F_xnYP-bL2MWoRYqjU7zXhNHQg6q4Bgg4P71Xsg@mail.gmail.com>
 <5EFCD605.4000409@gmail.com>
 <CAPORhP7R26Y85-XjFXqKtAzr2A8RxHgK530CJzp8y73tcgjMDg@mail.gmail.com>
 <5EFD095F.4040507@gmail.com>
 <CAPORhP408Cmb2FG89VOpUJJZhGJ2KUG70+0pMnzyk3Xev4vi1Q@mail.gmail.com>
 <5F0119F3.40806@gmail.com>
 <CAPORhP7QpZ3=3iPfogcKsqf0gBtgLvOdbNLG9=-Hk=8XjNCrcA@mail.gmail.com>
 <5F049E65.8000701@gmail.com>
 <CAPORhP7q5s14qy7VcX0rSLbOimweh7aXZuqmPNzTSAchLOHe9w@mail.gmail.com>
 <5F0DEE4A.6080600@gmail.com>
 <CAPORhP74+VvsWQc-r7UX9pzuzOABxXeL3V1K7FEjJFDarMnyKQ@mail.gmail.com>
 <5F0F00EB.5010403@gmail.com>
 <CAPORhP4q6_vkxpPw3okKLmvsm9zPgUn6mDu1XT3x1U8q4uiuDw@mail.gmail.com>
 <5F0F0FBC.9020200@gmail.com>
 <CAPORhP77kh9VNR-ZP_1k_5vj-NM9dw1Vgxd3E_muVLNtiLsp6Q@mail.gmail.com>
 <5F0F152C.3040908@gmail.com>
 <CAPORhP4oNhA2vT5UG2OtV=JDbwcUCdXsXxzQXjZKSg1Fc6qe2Q@mail.gmail.com>
In-Reply-To: <CAPORhP4oNhA2vT5UG2OtV=JDbwcUCdXsXxzQXjZKSg1Fc6qe2Q@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4B7W814CgXz41wV
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=MvZp6VGJ;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of luzar722@gmail.com designates
 2607:f8b0:4864:20::741 as permitted sender) smtp.mailfrom=luzar722@gmail.com
X-Spamd-Result: default: False [-2.94 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
 FREEMAIL_FROM(0.00)[gmail.com]; RCVD_COUNT_THREE(0.00)[3];
 DKIM_TRACE(0.00)[gmail.com:+];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 NEURAL_HAM_SHORT(-0.00)[-0.000];
 FREEMAIL_TO(0.00)[freebsd.org,gmail.com];
 RECEIVED_SPAMHAUS_PBL(0.00)[65.25.51.0:received];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 MID_RHS_MATCH_FROM(0.00)[];
 DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.98)[-0.978];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-0.97)[-0.965];
 TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::741:from];
 RCVD_TLS_ALL(0.00)[]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2020 12:46:10 -0000

Trying to figure out how to configure a vnet jail so it is restricted to 
only being able to talk to other vnet jails on the same host IE: local 
only vnet jails. As different to being able to access the public 
internet type of vnet jails.

Using the bridge/epair method of connecting vnet jails to the host.
[ based on this how-to ]
https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071/

It's my understanding that this behavior is controlled by if the hosts 
interface connected to the public internet is added as a member to the 
bridge the vnet jails epairXa interfaces were members of.

I tested this on a remote vm and found that it made no difference one 
way or the other if the hosts interface connected to the public internet 
was added as a member to the bridge or not. In both cases the vnet jail 
had public internet access.

On my home server I set up this scenario and observed the same behavior.

This behavior raises some questions.

Is it technically possible to segregate vnet jails into groups of vnet 
jails that are restricted to local host only access and another group 
that has public access?

If so what is the mechanism that controls this ability?

If I wanted both local only and public vnet jails on the same host I 
would think each group would need its own bridge. Where do we go from there?

Is my understanding correct and this is a bug in if_bridge?