PF Can't block traffic from jail to internal network / host

I

irukandji

I would like to completely isolate jail from the local network but on the other side keep it accessible from the internet. Since I wasn't able to block it using the aliases I have tried to setup another jail behind PF NAT. And I got myself into same problem, I can block access to gateway router (192.168.1.1) by not doing NAT for 192.168.1.1/24 and allowing it for all other addresses (any).

Code: 
nat on $ext_if from $jail to { ! 192.168.1.1/24, any} -> ($ext_if)

But I got into same problem as with alias, the 192.168.1.1 is not accessible from jail, but bsd host (192.168.1.150) running jails is. This is really killing me, I do understand that pf can't filter all the traffic due to internal optimizations on network traffic but I just can't believe that there is no way to protect local network from potentially defaced jail.

I guess I am missing something :( Any help?
 
Last edited by a moderator:
Hmmm... ok, I have set up a jail with vnet which is working, the routing table seems ok, but filtering outgoing traffic from jail on vnet0 still doesn't work. I have tried to tcpdump traffic on bridge and vnet0:JID and it captures traffic nicely but nothing is blocked by pf.

I feel like I am running in circles :(

Jail:
Code: 
Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.1.1        UGS       vnet0
localhost          link#1             UH          lo0
192.168.1.0/24     link#2             U         vnet0
192.168.1.100      link#2             UHS         lo0

It also opens an annoying problem, the vnet0 assigned to a jail is vnet0:JID but as jid is not static it is hard to write any pf rules, I could go with mac... :confused: but... :confused:
 
Done some extended testing, same problem as before, there is no way to block jail from accessing the host. :(

Can someone help me out? :(
 
irukandji said:
Done some extended testing, same problem as before, there is no way to block jail from accessing the host. :(

Can someone help me out? :(
Click to expand...
Please post your entire pf.conf. I suspect you have something akin to:
Code: 
set skip on lo0
...which needs to be removed in order to filter traffic over the lo0 interface.
 
You could also create a second loopback interface for jails:

/etc/rc.conf
Code: 
cloned_interfaces="lo1"

And then configure the jails to use lo1 instead of lo0.
 
Attach vnet interfaces to a bridge that connects to the physical interface. This way you can apply filter rules to/from the bridge and keep jails in their own network. With different bridges you can easily apply different rulesets to groups of jails.
 
You must log in or register to reply here.
Back
Top