PF pf for netgraph jails

girgen@

girgen@

Developer
FreeBSD-14.1
I have a rather simple setup with jails using netgraph (using the `/usr/share/examples/jails/jng` script and "model").

The host machine has two interfaces:
bnxt0: (external, has no IP#)
bnxt1: 192.168.1.79/24
Click to expand...

jail.conf:

Code: 
host.hostname = "$name.example.com";    # hostname

path = "/jails/$name";

exec.clean;
exec.system_user = "root";
exec.jail_user = "root";

vnet;

# netgraph
vnet.interface = ng0_$name, ng1_$name;          # vnet interface(s)
exec.prestart += "jng bridge $name bnxt0 bnxt1";        # bridge interface(s)
exec.poststop += "jng shutdown $name";  # destroy interface(s)

exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.consolelog = "/var/log/jail_$name.log";
mount.devfs;    # mount devfs

mount.fdescfs;
devfs_ruleset=5;

allow.mlock=1;

mount.fstab="/etc/fstab.$name";

fw {}

which creates a single jail `fw'.

/jails/fw/etc/rc.conf:
hostname=fw.example.com
ifconfig_ng0_fw="inet 1.2.3.4/26"
ifconfig_ng1_fw="inet 192.168.1.212/24"
defaultrouter="1.2.3.1"

sshd_enable="yes"
Click to expand...


Code: 
$ sudo ngctl list
There are 8 total nodes:
  Name: ngctl69965      Type: socket          ID: 00000021   Num hooks: 0
  Name: bnxt0           Type: ether           ID: 00000001   Num hooks: 2
  Name: bnxt1           Type: ether           ID: 00000002   Num hooks: 2
  Name: ue0             Type: ether           ID: 00000003   Num hooks: 0
  Name: bnxt0bridge     Type: bridge          ID: 00000009   Num hooks: 3
  Name: ng0_fw          Type: eiface          ID: 0000000e   Num hooks: 1
  Name: bnxt1bridge     Type: bridge          ID: 00000016   Num hooks: 3
  Name: ng1_fw          Type: eiface          ID: 0000001b   Num hooks: 1

I plan to create a reasonably large number of jails this way, by just adding jname {} to the jail.conf file.

Now, I would like to have a simple generic setup with pf filtering out unwanted ports from incoming traffic.

I tried this simplistic setup:
Code: 
ext_if = "bnxt0"
int_if = "bnxt1"


block in on $ext_if


dns_servers = "{ 192.168.1.194, 1.2.3.9, 8.8.8.8, 1.1.1.1 }"


pass in on $ext_if proto { tcp udp } from $dns_servers to any port 53
pass in on $ext_if proto tcp from any to any port { 80 443 22 }

but nothing happens, everything is passed directly into the jail:
nc -l 4444 |/CODE] and I can just telnet 1.2.3.4 4444 I assume I'm doing some simple mistake here, but find very little information wrt the combo of netgraph, pf and jails. Any tips? I tried configuring pf to work on the bridge interface but no difference.
 
You must log in or register to reply here.
Back
Top