IPFW ipfw and vnet

[cr4zsci]

I have ng network with ng_bridge connected to ng_ether and ng_eiface connected to this bridge.
I create jail with vnet.interface = ngeth0. After running ipfw on the host, I automatically get the default rule "65535 deny ip from any to any" in the jail.
Is this correct behaviour? How can i turn it off? Or change default rule to "allow ip from any to any"? Adding "firewall_type=open" to rc.conf only work for host,
not jail.

 

[VladiBG]

It's controlled via sysctl(8) variable but do not change it to allow. The idea behind this is to only allow traffic which the administrator approve/allow. It's much easy to create allow rules instead of allow all traffic and create deny rules to block unwanted traffic as you always will miss something.

ipfw(8)

man.freebsd.org

net.inet.ip.fw.default_to_accept: 0
Defines ipfw last rule behavior. This value overrides options
IPFW_DEFAULT_TO_(ACCEPT|DENY) from kernel configuration file.

 

[D-FENS]

You can easily add the rule in your jail.conf for example as a poststart hook:

    exec.poststart += "jexec $name ipfw add 65500 allow all from any to any";

I don't really know why the default is to deny all traffic, I have also experienced that issue, even without ng.

 

[cr4zsci]

As I understand it, after using the vnet option in the jail settings, its own network stack rises in the jail. And it seemed strange to me that the firewall on the host "interferes" with the work of the jail by adding its own rules. For examle, pf does not behave like this. It is only responsible for the host, to protect the jail you need to run pf inside the jail.

 

[smithi]

As I understand it, after using the vnet option in the jail settings, its own network stack rises in the jail. And it seemed strange to me that the firewall on the host "interferes" with the work of the jail by adding its own rules.

As VladiBG pointed out, ipfw default policy is to deny all traffic, unless and until you add earlier rules to allow some. This leaves no open window where malicious traffic may get through.

For examle, pf does not behave like this. It is only responsible for the host, to protect the jail you need to run pf inside the jail.

I can't comment on pf. Once you run ipfw on the host, it is also running in vnet jails, with its default policy in place - i.e. deny all - until you enable traffic.

Be glad that you're so well protected, and design a ruleset appropriate for the particular jail, given that the host rules must protect the whole system.

You might be satisfied to allow all traffic to and from the jail (one rule), or to only permit traffic related to its purpose, but you have to do something explicit.