Hello,
I have a FreeBSD box with two jails in it. Each jail has two interfaces. I also have a bridge residing on the main machine to connect one of the two interfaces of the jails together.
Jail 1 has interface A: 192.168.1.2 and Interface B: 10.0.0.1
Jail 2 has interface C: 192.168.1.3 and Interface D: 172.16.0.1
Host Machine has many interfaces but the most important ones right now are
bridge0: 192.168.1.1 so that interface A and Interface C can ping each other.
msk0: 1.1.1.1
em0: 2.2.2.2
I wish to strengthen my scheme using firewall. However, when I execute the firewall settings I seem to get a block on traffic between the jails with Permission Denied and I can't seem to figure out why. I get this error when trying to ping the host from interface A. When I ping interface A from the host, it just halts like it's expecting a return which is being dropped. So I'm assuming echo replies are not passing through.
Other than this, I would eventually like to bind interface B to em0, so that those two are forwarding traffic to each other and only to each other. I really don't know how to do this. When I'm not using a firewall, everything can reach everything as it is supposed to be. I just want to make sure everything is only reaching what it's supposed to be reaching.
I'm sure the solution is simple, I'm just new to ipfw (and FreeBSD).
Here are my rules so far:
Oh and finally, do I need NAT? I'm not really clear what NATing is (yea network address translation but i don't really know what it does) so i just assumed that I don't need it. all my IP addresses are fixed and I'm working in a controlled LAN and don't need internet access of any sort. The reason I ask is that maybe all of this failing because I have not compiled my kernel with IPDIVERT. So I'm wondering...
Thanks a lot in advance
I have a FreeBSD box with two jails in it. Each jail has two interfaces. I also have a bridge residing on the main machine to connect one of the two interfaces of the jails together.
Jail 1 has interface A: 192.168.1.2 and Interface B: 10.0.0.1
Jail 2 has interface C: 192.168.1.3 and Interface D: 172.16.0.1
Host Machine has many interfaces but the most important ones right now are
bridge0: 192.168.1.1 so that interface A and Interface C can ping each other.
msk0: 1.1.1.1
em0: 2.2.2.2
I wish to strengthen my scheme using firewall. However, when I execute the firewall settings I seem to get a block on traffic between the jails with Permission Denied and I can't seem to figure out why. I get this error when trying to ping the host from interface A. When I ping interface A from the host, it just halts like it's expecting a return which is being dropped. So I'm assuming echo replies are not passing through.
Other than this, I would eventually like to bind interface B to em0, so that those two are forwarding traffic to each other and only to each other. I really don't know how to do this. When I'm not using a firewall, everything can reach everything as it is supposed to be. I just want to make sure everything is only reaching what it's supposed to be reaching.
I'm sure the solution is simple, I'm just new to ipfw (and FreeBSD).
Here are my rules so far:
Code:
#!/bin/sh
ipfw -q -f flush
# Set Defaults
ks="keep-state"
cmd="ipfw -q add"
pif="msk0"
# No restriction on loopback
$cmd 005 allow all from any to any via lo0
# Allow packet through if previously added
$cmd 010 check-state
# Allow incoming and outgoing ping to the main interface
$cmd 015 allow icmp from any to any out via $pif $ks
$cmd 016 allow icmp from any to any in via $pif $ks
# Allow IPSec
$cmd 017 allow log esp from any to any
$cmd 018 allow log ah from any to any
$cmd 019 allow log ipencap from any to any
$cmd 020 allow log udp from any 500 to any
# Allow connection to/from the jail
$cmd 021 allow icmp from 192.168.1.0/24 to any in
$cmd 022 allow icmp from any to 192.168.1.0/24 in
#Deny Everything else by default
$cmd 999 deny log all from any to any
Oh and finally, do I need NAT? I'm not really clear what NATing is (yea network address translation but i don't really know what it does) so i just assumed that I don't need it. all my IP addresses are fixed and I'm working in a controlled LAN and don't need internet access of any sort. The reason I ask is that maybe all of this failing because I have not compiled my kernel with IPDIVERT. So I'm wondering...
Thanks a lot in advance