From owner-freebsd-pf@freebsd.org  Tue Nov  7 15:50:15 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6A7DE5C532
 for <freebsd-pf@mailman.ysv.freebsd.org>; Tue,  7 Nov 2017 15:50:15 +0000 (UTC)
 (envelope-from irukandji@voidptr.eu)
Received: from voidptr.eu (voidptr.eu [193.77.148.197])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "voidptr.eu",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A744C7089E
 for <freebsd-pf@freebsd.org>; Tue,  7 Nov 2017 15:50:15 +0000 (UTC)
 (envelope-from irukandji@voidptr.eu)
Received: none.of.your.bussiness.com ([66.66.66.661]:1337) by
 dynamic-122111.voidptr.eu with esmtp
Message-ID: <1510069428.4725.31.camel@voidptr.eu>
Subject: Jail isolation from internal network and host (pf, vnet (vimage),
 freebsd 11.1)
From: irukandji <irukandji@voidptr.eu>
To: freebsd-pf@freebsd.org
Date: Tue, 07 Nov 2017 16:43:48 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 15:50:16 -0000

Hi Everyone,

Problem: isolating jail away from internal network and host "hosting"
it.
Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE
enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0),
single network card on re0

I am unable prevent jail accessing host (192.168.1.200) for any other
ip it is working, i have configured VNET just to have separated stack
but host is still accessible from jail.

Am I missing something or this is just something that cant be
accomplished using pf? I am banging my head to the wall with this issue
for past few months going radical lately (kernel recompile ;) )
but still without any result.

Can PLEASE someone help me out?

Regards,
irukandji