pf for netgraph jails?
- Reply: Patrick M. Hausen: "Re: pf for netgraph jails?"
- Reply: Marek Zarychta : "Re: pf for netgraph jails?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 16 Oct 2024 14:19:40 UTC
Hi! Using FreeBSD-14.1, I have a rather simple setup with jails using netgraph (using the `/usr/share/examples/jails/jng` script and "model"). The host machine has two interfaces: bnxt0: (external, has no IP#) bnxt1: 192.168.1.79/24 jail.conf: -- host.hostname = "$name.example.com <http://name.example.com/>"; # hostname path = "/jails/$name"; exec.clean; exec.system_user = "root"; exec.jail_user = "root"; vnet; # netgraph vnet.interface = ng0_$name, ng1_$name; # vnet interface(s) exec.prestart += "jng bridge $name bnxt0 bnxt1"; # bridge interface(s) exec.poststop += "jng shutdown $name"; # destroy interface(s) exec.start += "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown jail"; exec.consolelog = "/var/log/jail_$name.log"; mount.devfs; # mount devfs mount.fdescfs; devfs_ruleset=5; allow.mlock=1; mount.fstab="/etc/fstab.$name"; fw {} -- which creates a single jail `fw'. /jails/fw/etc/rc.conf: -- hostname=fw.example.com <http://fw.example.com/> ifconfig_ng0_fw="inet 1.2.3.4/26" ifconfig_ng1_fw="inet 192.168.1.212/24" defaultrouter="1.2.3.1" sshd_enable="yes" -- $ sudo ngctl list There are 8 total nodes: Name: ngctl69965 Type: socket ID: 00000021 Num hooks: 0 Name: bnxt0 Type: ether ID: 00000001 Num hooks: 2 Name: bnxt1 Type: ether ID: 00000002 Num hooks: 2 Name: ue0 Type: ether ID: 00000003 Num hooks: 0 Name: bnxt0bridge Type: bridge ID: 00000009 Num hooks: 3 Name: ng0_fw Type: eiface ID: 0000000e Num hooks: 1 Name: bnxt1bridge Type: bridge ID: 00000016 Num hooks: 3 Name: ng1_fw Type: eiface ID: 0000001b Num hooks: 1 I plan to create a reasonably large number of jails this way, by just adding jname {} to the jail.conf file. Now, I would like to have a simple generic setup with pf filtering out unwanted ports from incoming traffic. I tried this simplistic setup: -- ext_if = "bnxt0" int_if = "bnxt1" block in on $ext_if dns_servers = "{ 192.168.1.194, 1.2.3.9, 8.8.8.8, 1.1.1.1 }" pass in on $ext_if proto { tcp udp } from $dns_servers to any port 53 pass in on $ext_if proto tcp from any to any port { 80 443 22 } -- but nothing happens, everything is passed directly into the jail: nc -l 4444 (inside the jail) and I can just telnet 1.2.3.4 4444 I assume I'm doing some simple mistake here, but find very little information wrt the combo of netgraph, pf and jails. Any tips? I tried configuring pf to work on the bridge interface but no difference. What am I missing here? Palle