jails ipfw, vnet, jail - how works ipfw in host-machine?

[jeltoesolnce]

I created jail/vnet. My host- machine have ipfw, and jail have ipfw too. How work this two ipfw together? Jail ipfw works as independent unit on jail IP, it is understanding. But how works host ipfw? Checks traffic which going to jail?

Ping from jail to Internet works fine if I stop both ipfw. If I start host ipfw - ping from jail does not work, although the host ping is working properly.. How to settings host ipfw for vnet jail?

 

[kjeacle]

The physical interface on the host sees all traffic so I use just one firewall config file on the host that handles firewalling for the host and all VNET jails.

I'm guessing here but I assume that if you have firewall rules for each individual jail then you will have to copy those into the host firewall config, or make exceptions for the jails in the host firewall so that all jail traffic can pass through the host without being blocked.

 

[jeltoesolnce]

Ok, thank you.
I use rules /etc/rc.firewall, and settings in them:

firewall_type
firewall_myservices
firewall_allowservices
...

So, I suppose, I set firewall_myservices=www, and all my jails in my host will see all www traffic, which will come through host net adapter? And, If I want to close www for someone, what can I do?

 

[kjeacle]

Looking at /etc/rc.firewall, firewall_allowservices appears to add rules destined to me, which the ipfw man page defines as "any IP address configured on an interface in the system" so if your host lists the address with ifconfig then what you suggest should work.

/etc/rc.firewall doesn't have any knowledge of jails. It assumes the firewall is just for the host so I don't think it's possible to exclude individual jails. You would probably need to use firewall_script instead of firewall_type and write the rules yourself. This is what I do with my VNET jails, although I am using pf instead of ipfw.