Recently I changed my jails to being VNET jails, and I thought I checked to make sure it was working okay with my firewall, but apparently not. It seems my firewall rules are doing much of nothing. I have a somewhat complex setup with my networking. I have my iocage jails using a bridged interface, in addition to that I have bhyve jails using that same bridge. One of my rules is to block an <externaljails> table from communicating with an <internaljails> table. That isn't working. Additionally, I also tried blocking traffic from one jail to my network (not shown in the contents below), but that seemed to do nothing, no matter what I tried. Did I royally mess up my firewall rules? Seems this is the #1 issue I always return to with FreeBSD. Definitely my own problem, but I've read and researched and can't seem to get this right. Here are my rules
And how my networking is configured in my rc.conf
Code:
ext_if="em0"
localnet="192.168.10.0/24"
nextcloud = "{ 192.168.10.42 }"
githost = "192.168.10.50"
plex = "{ 192.168.10.44 }"
## Set and drop these IP ranges on public interface ##
table <martians> { 127.0.0.0/8 172.16.0.0/12 10.0.0.0/8 192.168.0.0/16 \
169.254.0.0/16 192.0.2.0/24 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 \
!192.168.10.0/24 !127.0.0.1 }
webports = "{ http, https }"
tcp_services = " { bootps, bootpc, domain, ntp }"
udp_services = "{ bootps, bootpc, domain, ntp }"
udp6_services="{ 53, 123, 1194, 546, domain }" # 546 == dhcpv6-client
plex_ports_tcp = "{ 32400, 3005, 8324, 32469 }"
plex_ports_udp = "{ 1900, 5353, 32410, 32412, 32413, 32414 }"
icmp_types = "{echoreq, unreach}"
icmp6_types="{ 128, 133, 134, 135, 136, 137 }"
tcp_state="flags S/SA keep state"
udp_state="keep state"
table <bruteforce> persist
table <goodhosts> { 192.168.10.0/24 }
table <externaljails> { $nextcloud, $githost }
table <internaljails> { $plex }
table <sshjails> { 192.168.10.50 }
# Don't send rejections. Just drop.
set block-policy return
# Exempt the loopback interface to prevent services utilizing the
# local loop from being blocked accidentally.
set skip on lo0
# all incoming traffic on external interface is normalized and fragmented
# packets are reassembled.
scrub in on $ext_if all fragment reassemble
# set a default deny policy.
block in log all
# Drop all Non-Routable Addresses
block drop in quick on $ext_if from <martians> to any
block drop out quick on $ext_if from any to <martians>
# Enable antispoofing on the external interface
antispoof quick for $ext_if
block in on $ext_if from urpf-failed to any
# Block internal and external jails from communicating
block drop quick from <externaljails> to <internaljails>
pass in proto tcp from 127.0.0.1 port 25 to port 25
## INBOUND
########### ICMP4/6 ###########
# ICMPv4
pass inet proto icmp icmp-type $icmp_types
# ICMPv6
#pass on $ext_if inet6 proto icmp6 icmp6-type $icmp6_types
pass inet6 proto icmp6 icmp6-type $icmp6_types
########### Web Servers ###########
pass proto tcp to $nextcloud port $webports $tcp_state
pass proto tcp to $githost port $webports $tcp_state
########## Nextcloud ############
############# PLEX ##############
pass proto tcp from any to $plex port $plex_ports_tcp $tcp_state
pass proto udp from any to $plex port $plex_ports_udp $udp_state
############## SSH ##############
# Allow SSH in to jails that allow sshjails
pass in on $ext_if proto { tcp, udp } from 192.168.10.0/24 to <sshjails> port ssh $tcp_state
# Allow SSH into main host
pass quick proto { tcp, udp } from any to 192.168.10.40 port ssh $tcp_state
pass inet6 proto udp from any to any port $udp6_services $udp_state
pass inet proto udp from any to any port $udp_services $udp_state
##### OUTBOUND
pass out proto tcp to any port $webports
pass out proto tcp to any port 22
And how my networking is configured in my rc.conf
Code:
ifconfig_em0="DHCP"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 up"