Block access to IP alias address

B

bbzz

I have a couple of jails running on machine that used to serve only as router. Internal physical interface is sitting on 172.16.0.0/12 network. Jails IP aliases sitting on that interface are on 10.0.0.0/8 network, for example 10.255.255.53/32 for DNS, 10.255.255.80/32 for web, etc.

Hosts on 172.16.0.0/12 are able to "telnet" into both 172.16.0.254 80 which gets redirected with pf to 10.255.255.80 80, but also are able to directly "telnet" into 10.255.255.80 80.

Security wise I don't think it matters since service is still listening only on jailed port 80 (plus its my home network). What bugs me is that I'm unable to limit network traffic only to physical IP, not aliases IP in pf.

Can I stop hosts from logging directly to aliased IP, and even more, stop aliased IP from answering to layer 2 traffic such as ARP. In other words, hosts shouldn't see any host on 10.0.0.0/8 on 172.16.0.0/12.
 
There is no 'physical' IP, all of them are aliases.

Use
Code: 
block in log all
at the beginning of the pf.conf rules section and enable pflogd. Use pflog to check what connections are blocked.

ARP can't be disabled per subnet, but the interfaces can be configured to not respond to ARP requests (see ifconfig if0 staticarp).

Your problem can be fixed faster using a loopback interface for the jail, unreachable from any NIC, combined with NAT. Move the 10.255.255.x addresses to lo0 or lo1, or use a loopback inferface for each jail.
 
Thanks for replying.

ecazamir said:
There is no 'physical' IP, all of them are aliases.
Click to expand...

Obviously :)
Use 'block in log all' at the beginning of pf.conf rules section and enable pflogd. Use pflog to check what connections are blocked.
Click to expand...
Simple blocking like that doesn't work in pf. That is, if you block either main IP address or alias IP that is getting redirected to main, traffic will not pass.

ARP can't be disabled per subnet, but the interfaces can be configured to not respond to ARP requests (see ifconfig if0 staticarp).
Click to expand...
Doesn't that just disable ARPing for other IPs? It stills answers for its own addresses, I think. I'll look into it.

Your problem can be fixed faster using a loopback interface for the jail, unreachable from any NIC, combined with NAT. Move the 10.255.255.x addresses to lo0 or lo1, or use a loopback inferface for each jail.
Click to expand...

That's what I'm doing right now for all my jails.
 
You must log in or register to reply here.
Back
Top