PF Does a Jail IP use the rest of the rules in PF?

M

max21

I have been using the rules below for a very long time but recently I added the jail_IP and ext_IP rules. Everything works fine, but lately I been wondering if I should have a firewall inside the receiving jail to protect it and the other jails behind it. Would you say that all is well, the rest of the rules are seen; or that I should build IPFW or PF in the first jail?

Code: 
ext_if = "re0"
int_if = "re1"
jail_IP="10.10.10.101"
ext_IP = "xxx.xxx.xxx.xxx"

table <sshguard> persist
set loginterface $ext_if 
set optimization aggressive 

set block-policy return
set state-policy if-bound
set skip on lo0

scrub all no-df random-id min-ttl 5 max-mss 1440 reassemble tcp
scrub out on $ext_if no-df random-id

nat on $ext_if -> $ext_IP
pass out on $ext_if inet from {$ext_if, $jail_IP} to any keep state

pass quick on $int_if all
pass quick on lo0 all

pass out on $ext_if inet proto tcp from any to any port www keep state

….the rest of the rules.  I’m wondering if these are used by the kernel before the Internet code reach the jail.?
 
max21 said:
Everything works fine, but lately I been wondering if I should have a firewall inside the receiving jail to protect it and the other jails behind it.
Click to expand...
That's not possible. At least not with the standard jails. If you want to run a firewall inside a jail you have to use VIMAGE/VNET jails.
 
SirDice said:
That's not possible. At least not with the standard jails. If you want to run a firewall inside a jail you have to use VIMAGE/VNET jails.
Click to expand...

Thanks you Sir Dice … I guess my communication skills is still lacking. It's not easy to figure out how to complete a question. I fail at it almost all the time. With my statement *Everything works fine*, what I meant to indicate is that packet-filter on the host seems to be working for the host, but that I am unsure that it works to completion for the jail_IP and ext_IP entry. Lately I have been doubtful that these entries are not actually working and are only by-passing the rest of the rest of the rules below it.

Would it be wrong to conclude that your reply indicates that my suspicion is correct? If so, I will be looking into VIMAGE/VNET for jails which for me raise new questions. Would all jails behind this VIMAGE/VNET jail have to be created as VIMAGE/VNETjails? Are VIMAGE/VNET jails just as powerful, safe and simple, and maintenance free as standard FreeBSD jails? The speed factor is also very important between the three.
 
I really haven't looked at the rules you posted. I thought you wanted to run a firewall inside a jail, that's not possible. A 'normal' jail runs on the host's network stack, which means a firewall can only be implemented on the host side. What VIMAGE/VNET does is virtualize the network stack so each jail can have its own, using this you can run a firewall inside a jail. Besides the network stack there's no difference between the two types of jail.
 
SirDice said:
I really haven't looked at the rules you posted. I thought you wanted to run a firewall inside a jail, that's not possible. A 'normal' jail runs on the host's network stack, which means a firewall can only be implemented on the host side. What VIMAGE/VNET does is virtualize the network stack so each jail can have its own, using this you can run a firewall inside a jail. Besides the network stack there's no difference between the two types of jail.
Click to expand...

If I can avoid VIMAGE/VNETjails I will but if that is the only way, I will use it because there is no better separation of Internet than using jail IP/ext_IP style. So, still Sir Dice, does the kernel use the rest of the rules for this style which claim the ISP_IP to be used directly by a FreeBSD jail. One thing I think I know for sure; the host don’t even have a clue of what’s going on. He gets his share if he got something listening or running something on the Internet. I did better than that ... I have nothing Internet related on the host to my knowledge. Port-22 and unbound has been disabled. I reinstate the host Internet access by running a script when my FreeBSD host need anything Internet related. By doing this I have bend witnessing true separation for weeks. Everything Internet related goes straight into the jail. But then and now, I realize, it may not be protected by the firewall.

I could be fooling myself again but to me, this is the kind of added security that the FreeBSD host needs. I got the code from here after an extensive google search about looking into something else, like unbound, SSH, and SSL for about a month to date.

I just wonder if the kernel takes over all rules to be used in a special way, from the beginning for jails also, just like he do in jail(8) jail_enable="YES", which included my sshguard which is out of place, above where TABLE is supposed to be.

Now I wonder if PF ext_IF command is smart enough to run all rules before allowing the TRANSLATION department, NAT to take control. It could be a undocumented process. That is what I’m asking about, I skinny. I just don’t want to be stuck in a dream world of thinking my finally conclusion is correct when it never was. I have been there too many times already. I'm thinking maybe the kernel and/or other specialized applications may have been built smarter than we think. This leaves me no choice but to ask. So I ask again.
 
There is nothing in PF that is jail aware. It treats all traffic equal regardless of the source, jail or the real host. There is also no "undocumented process" about NAT. It all happens in a very clearly defined order, NAT first then packet filtering. The most obvious consequence of that is that you have to write filter rules for rdr'ed traffic using the translated destination addresses. For example (if you write your rules this way):

Code: 
rdr on $ext_if inet proto tcp from any to ($ext_if) port http -> 192.168.100.100 port http
...
pass in $ext_if inet proto tcp from any to 192.168.100.100 port http
...
 
kpa said:
There is nothing in PF that is jail aware. It treats all traffic equal regardless of the source, jail or the real host. There is also no "undocumented process" about NAT. It all happens in a very clearly defined order, NAT first then packet filtering. The most obvious consequence of that is that you have to write filter rules for rdr'ed traffic using the translated destination addresses. For example (if you write your rules this way):

Code: 
rdr on $ext_if inet proto tcp from any to ($ext_if) port http -> 192.168.100.100 port http
...
pass in $ext_if inet proto tcp from any to 192.168.100.100 port http
...
Click to expand...
Kpa, excuse me for my lameness, but are you saying there is hope for standard jails jail_IP style by using redirection to gather up the following rules before NAT takes complete control? If this is what you are saying I will be searching on how redirection works. This kind of thing reminds me about coding at low level, something like push NAT … run internet through the rules… pop NAT… go to work. I guess redirection makes all of this possible. I don’t care what I got to do, as long as there is hope, I like jail_IP that much.

I’m posting the rules I use. Only a few things have been change since Hermelito original FreeBSD 8.2 packet-filter article. I really want to get this right and if not possible I’ll get into VIMAGE/VNET which I’m sure is way over my head or will drive me more crazier than what I came to be already. I swear by his code, but not my inclusions:
Code: 
#########################################		Using Jail
#  From unixguide.net & FreeBSD forum
#########################################

ext_if = "re0"
int_if = "re1"
jail_b="xx.x.x.xx"
ext_IP = "xxx.xxx.x.x"

dns1 = "xxx.xx.xx.xx"
dhcp = "xxx.xxx.x.255"

icmp_types = "{ 0, 3, 4, 8, 11, 12 }"			#  allowed ICMP types

ob_state = "flags S/SA modulate state"			#  outbound
ib_state = "flags S/SA synproxy state"			#  inbound
#  ____________________________________________________________
#								     [TABLES]
table <sshguard> persist
#  ____________________________________________________________
#								    [OPTIONS]
set loginterface $ext_if  #   gather statistics on this interface
set optimization aggressive   # drop state fast without having excessively low timeouts.

set block-policy return   #   a TCP RST packet is returned for blocked TCP
			  #   packets and an ICMP Unreachable packet is
			  #   returned for all others.	squid
#set block-policy drop	  #   default block behavior to packet silently dropped
set state-policy if-bound #   states are bound to interface created on
##set loginterface $_WAN  #   gather statistics on this interface

set skip on lo0		  #   KDE uses loopback
#  ____________________________________________________________
#						      [TRAFFIC NORMALIZATION]
#scrub in on $ext_if all reassemble tcp no-df random-id
scrub all no-df random-id min-ttl 5 max-mss 1440 reassemble tcp
scrub out on $ext_if no-df random-id
#scrub in all		  #   scrub out on $ext_if all random-id
#scrub reassemble tcp	  #   Make sure clean & sane fragment reassemble

#block in all

#block out proto { tcp, udp } all			# all but a single user
#pass out proto { tcp, udp } all user { < 1000, jer }
#  ____________________________________________________________
#								   [QUEUEING]
#  Possible example:
# - altq on fxp0 cbq bandwidth 2Mb queue (std, ssh, ftp)
#  ____________________________________________________________
#								 [TRANLATION]

nat on $ext_if -> $ext_IP						#  jail_b
pass out on $ext_if inet from {$ext_if, $jail_b} to any keep state	#  jail_b


##nat on $ext_if from !($ext_if) -> ($ext_if:0)	# TRANLATION
pass quick on $int_if all 			# No restrictions on LAN Interface
pass quick on lo0 all				# No restrictions on Loopback Interface

pass in on $int_if inet proto tcp from any to 10.0.0.1 port 8880 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
pass out on $int_if inet proto tcp from any to 192.168.1.254 port 3389



#  ____________________________________________________________
#  ____________________________________________________________
#							          [OUT BOUND]

pass out quick on $ext_if proto tcp from any to $dns1 port 53 $ob_state  #  dns in resolv
pass out quick on $ext_if proto udp from any to $dns1 port 53 keep state

pass out quick on $ext_if proto udp from any to $dhcp port 67 keep state #  dhcp

pass out quick on $ext_if proto tcp from any to any port 80 $ob_state    #  INTERNET out ****

pass out quick on $ext_if proto tcp from any to any port 443 $ob_state   #  https over TLS SSL

pass out quick on $ext_if inet proto icmp from any to any icmp-type 8 keep state #  ping out
pass out quick on $ext_if proto tcp from any to any port 43 $ob_state    #  whois PC

pass out quick on $ext_if proto tcp from any to any port 22 $ob_state    #  SSH FTP-Tel-SCP out

# block out log quick on $ext_if all                                     #  trying to get out
#  ____________________________________________________________
#  ____________________________________________________________
#							          [IN BOUND]

block in quick on $ext_if from <sshguard> label "ssh bruteforce"  #  guard all, not just ssh

#  Block all inbound traffic from non-routable or reserved address spaces
block in quick on $ext_if from 192.168.0.0/16 to any	#  RFC 1918 private IP
block in quick on $ext_if from 172.16.0.0/12 to any	#  RFC 1918 private IP
block in quick on $ext_if from 10.0.0.0/8 to any	#  RFC 1918 private IP

block in quick on $ext_if from 127.0.0.0/8 to any	#  loopback
block in quick on $ext_if from 0.0.0.0/8 to any		#  loopback

block in quick on $ext_if from 169.254.0.0/16 to any	#  DHCP auto-config
block in quick on $ext_if from 192.0.2.0/24 to any	#  reserved for doc's
block in quick on $ext_if from 204.152.64.0/23 to any	#  Sun cluster connect
block in quick on $ext_if from 224.0.0.0/3 to any 	#  Class D $ E multicast

block in quick on $ext_if inet proto icmp all icmp-type 8	#  Block public pings in
block in quick on $ext_if proto tcp from any to any port 113	#  Block ident in

#  Block all Netbios service. 137=name, 138=datagram, 139=session 
#  Netbios is MS/Windows sharing services.
#  Block MS/Windows hosts2 name server requests 81

block in log quick on $ext_if proto tcp from any to any port 137	# $netbios_tcp
block in log quick on $ext_if proto udp from any to any port 137	# $netbios_udp

block in log quick on $ext_if proto tcp from any to any port 138
block in log quick on $ext_if proto udp from any to any port 138

block in log quick on $ext_if proto tcp from any to any port 139
block in log quick on $ext_if proto udp from any to any port 139

block in log quick on $ext_if proto tcp from any to any port 81
block in log quick on $ext_if proto udp from any to any port 81

pass in quick on $ext_if proto udp from $dhcp to any port 68 keep state  # cable-DSL-dhcp in
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types
pass in quick on $ext_if proto tcp from any to any port 22 $ib_state  # SSH FTP-Telnet-SCP in

block in log quick on $ext_if all                                       #  trying to get in
############################# End of rules file 
############################# End of rules file 
############################# End of rules file
 
When looking at the firewall rules forget about jails, just pretend they're real physical machines sitting behind the firewall. From the firewall's point of view it's really not that different, it has absolutely no concept of jails or anything else. It only "sees" network packets, IP addresses and interfaces, nothing less, nothing more.
 
Hey guys, I just thought about it. I don’t need the firewall rules inside the jail anyway. It is enough that someone figured out a way to use the ext_IP in the jail by itself; and that I kill any hopes of the host to gain Internet access. I should not be concern about the rules because the machine will connect only to a VPN anyway and will never to be used for surfing the web. Keeping web access out of the host and only to a jail is all I need.

It does seem to be using sshguard. If this is not true than I'll just put denyhost in the jail and be done with it. I think I got a win-win, and to boot I learn so much more about what jails really can do and how it fit into the network-stack. I hope I got it right. Thanks again guys. It has been mind-blowing.
Code: 
/bin/sh /etc/rc.shutdown 
vidcontrol: getting active vty: Inappropriate ioctl for device 
Stopping jails: b_dns. 
Stopping cron. 
Waiting for PIDS: 29661. 
Stopping sshd. 
Waiting for PIDS: 2257. 
Stopping sshguard. 
Waiting for PIDS: 86838. 
Stopping devd. 
Waiting for PIDS: 50347. 
Writing entropy file:. 
. 
Terminated
... but after I tried again, this is all I got. So is the jail still using sshguard?
Code: 
/bin/sh /etc/rc.shutdown 
vidcontrol: getting active vty: Inappropriate ioctl for device 
Stopping jails: b_dns. 
Writing entropy file:. 
. 
Terminated
 
If you want something like security/sshguard you need to run it on the host. One of my VPS uses it to protect the SSH of the host and a jail running mail. To protect services inside the jails just provide the path, the host can access the jail's filesystems.

Code: 
sshguard_enable="YES"
sshguard_watch_logs="/var/log/auth.log:/jails/mail/var/log/maillog:/jails/mail/var/log/exim/rejectlog"
Here I've added the logging of the mail jail to sshguard that's running on the host.
 
You must log in or register to reply here.
Back
Top