PF PF on host with VNET jails

Anam

Anam

Hi

I've been trying to configure a firewall (on the host system) that protect my VNET jails, but I can't get it to work. Currently, pf protect my host system but not my jails. Has anyone successfully configured pf to do this?

System Info:
FreeBSD 12.0-RELEASE.
Jails configured with iocage and iocell (legacy) with VNET turned ON.
 

Attachments

  • pf conf.txt
    909 bytes · Views: 227
I can't tell your network setup from your pf.conf. How are your vnet jails connected to the network?

Think of vnet jails as machines connected on the network. Configure your pf as you would for that use case.
 
Just follow the handbook?

You can always assign your jails to use lo0 which means they won't be automatically connected to your network. After that you can set up forwarding rules which will allow specific ports to contact the appropriate jail.

Also... what made you conclude that it "doesn't protect your jails"?
 
@ Kristof Provost,
Which conf files would you like to see? /etc/rc.conf?

@ ShelLuser,
It's done using a bridge to the ethernet port.

# From /etc/rc.conf
cloned_interfaces="bridge0 bridge1"
ifconfig_bridge0="addm em1 up"

I concluded by testing access to the jail and host from LAN. I am able to connect to my jails even though I have not set a pass rule.
 
VNET jails are a bit different. They don't live on lo0, they have their own network interfaces (usually an epair, but that could be a physical NIC too).
 
Anam said:
@ Kristof Provost,
Which conf files would you like to see? /etc/rc.conf?
Click to expand...
Yes, or however you've got that set up.

Are you bridging your VNET jails to the LAN? If so, that explains why they're not being filtered by pf.

It's possible to get pf to filter on bridged traffic, but it's a terrible idea. Don't do that. Instead change your network config so that your jails are routed to the LAN.
 
Kristof Provost said:
Yes, or however you've got that set up.

Are you bridging your VNET jails to the LAN? If so, that explains why they're not being filtered by pf.

It's possible to get pf to filter on bridged traffic, but it's a terrible idea. Don't do that. Instead change your network config so that your jails are routed to the LAN.
Click to expand...

If I understand the configuration correctly, then I have bridged the jails to em1 (a physical ethernet port). I have attached /etc/rc.conf and the jail configuration files (one for iocage and one for iocell). Also, I am using Teamspeak as a reference. The server/NAS have multiple jails and some of them require UPNP (Logitech Media Server, Plex Media Server), which is why I am using VNET in the first place.

abishai said:
I'd say use pf in jail.
Click to expand...

I'll look into that if I can't get it to work on the host
 

Attachments

  • host-etc-rcConf.txt
    1.1 KB · Views: 213
  • iocageTeamspeakConfig.txt
    367 bytes · Views: 165
  • iocellTeamspeakConfig.txt
    2.3 KB · Views: 154
You must log in or register to reply here.
Back
Top