Date: Tue, 7 Nov 2017 19:18:06 +0100 From: Goran =?utf-8?B?TWVracSH?= <meka@tilda.center> To: irukandji <irukandji@voidptr.eu> Cc: freebsd-pf@freebsd.org Subject: Re: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1) Message-ID: <20171107181806.dus6nizw3n4flr73@hal9000.meka.no-ip.org> In-Reply-To: <1510069428.4725.31.camel@voidptr.eu> References: <1510069428.4725.31.camel@voidptr.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
--whliyqfl7jbg5ktj Content-Type: text/plain; charset=utf-8 Content-Disposition: inline On Tue, Nov 07, 2017 at 04:43:48PM +0100, irukandji via freebsd-pf wrote: > Hi Everyone, > > Problem: isolating jail away from internal network and host "hosting" > it. > Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE > enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0), > single network card on re0 > > I am unable prevent jail accessing host (192.168.1.200) for any other > ip it is working, i have configured VNET just to have separated stack > but host is still accessible from jail. > > Am I missing something or this is just something that cant be > accomplished using pf? I am banging my head to the wall with this issue > for past few months going radical lately (kernel recompile ;) ) > but still without any result. > > Can PLEASE someone help me out? > > Regards, > irukandji I am not sure I understand the use case. Sounds to me like you would like to be hosting provider where bare metal machine is hosting other people's jails, and you don't want those people being able to access underlaying machine. Also, when you say "jail accessing host", does that mean over SSH or something else? --whliyqfl7jbg5ktj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAloB+NsACgkQWj1Tknov rLZPEhAAgU+PKkDOqwS59bZFAmN7HyoODyuy7zS7rJCFRI1nzlU2MZ107Uu6CEs9 S1kcIjmmEgAVwsgx65wa6dgoXMAQh0c3P5ROVjXsw4tnmgAIxQ93hJKBV2A0xAvq nn/XKyqQ68HLRiFP35oqcr+UCMvGqcg+GBMsBh2fzyLS8LWnQuMCbQK18frfKxtV 1HsQr2tlgXJYPbZiY1MgqTwVPvbl/H4ehZU+2uBGjdykhizrmTTa4+Ha3NCVs7YR p9m/DpHVHaaiSha8IIl8B9BvhpJqz8MOOujVNFDRbaYMitsSuhD849mndICGCl36 lTA35yARb+7nk894o9dqWFiaoFkiL5oWfVBElxJgcCkYnQTCH2EkIYiDcWsJdkPI JMeetlMljn+fdc+x9zXKa4w7gKLmk+6pQJdVH8/WyL2nZ/RzjyFKeU8xFTvocGci 55VscBdN6UC7rrCiBy3rJ+rwDllfLE0ggNYpv0iiia+BGsztACXsZhi4UeYV+tBV crYZm6vQ1GgmVgTyk6k1+dHaJHiXm9Rpsh47Bc1WRIc5kk2ei0wD8xG5ZXxkJWnA reG/pDnmla5qeR4H7te2bO0K15vY7VpRWfczvaEQcy+0vpl7mCs0NYFTqNZvVk2+ 2fS9Fj3cC7ISQ3aM7dg7ZMhOWNT+JvXp3B6vlr3cJn1TwEQaxLQ= =eLgb -----END PGP SIGNATURE----- --whliyqfl7jbg5ktj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171107181806.dus6nizw3n4flr73>