pf for netgraph jails?

Reply: Patrick M. Hausen: "Re: pf for netgraph jails?"
Reply: Marek Zarychta : "Re: pf for netgraph jails?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Palle Girgensohn <girgen_at_FreeBSD.org>
Date: Wed, 16 Oct 2024 14:19:40 UTC

Hi!

Using FreeBSD-14.1, I have a rather simple setup with jails using netgraph (using the `/usr/share/examples/jails/jng` script and "model").

The host machine has two interfaces:
bnxt0: (external, has no IP#)
bnxt1: 192.168.1.79/24

jail.conf:

--
host.hostname = "$name.example.com <http://name.example.com/>";    # hostname

path = "/jails/$name";

exec.clean;
exec.system_user = "root";
exec.jail_user = "root";

vnet;

# netgraph
vnet.interface = ng0_$name, ng1_$name;          # vnet interface(s)
exec.prestart += "jng bridge $name bnxt0 bnxt1";        # bridge interface(s)
exec.poststop += "jng shutdown $name";  # destroy interface(s)

exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.consolelog = "/var/log/jail_$name.log";
mount.devfs;    # mount devfs

mount.fdescfs;
devfs_ruleset=5;

allow.mlock=1;

mount.fstab="/etc/fstab.$name";

fw {}
--

which creates a single jail `fw'.

/jails/fw/etc/rc.conf:
--
hostname=fw.example.com <http://fw.example.com/>
ifconfig_ng0_fw="inet 1.2.3.4/26"
ifconfig_ng1_fw="inet 192.168.1.212/24"
defaultrouter="1.2.3.1"

sshd_enable="yes"
--


$ sudo ngctl list
There are 8 total nodes:
 Name: ngctl69965      Type: socket          ID: 00000021   Num hooks: 0
 Name: bnxt0           Type: ether           ID: 00000001   Num hooks: 2
 Name: bnxt1           Type: ether           ID: 00000002   Num hooks: 2
 Name: ue0             Type: ether           ID: 00000003   Num hooks: 0
 Name: bnxt0bridge     Type: bridge          ID: 00000009   Num hooks: 3
 Name: ng0_fw          Type: eiface          ID: 0000000e   Num hooks: 1
 Name: bnxt1bridge     Type: bridge          ID: 00000016   Num hooks: 3
 Name: ng1_fw          Type: eiface          ID: 0000001b   Num hooks: 1

I plan to create a reasonably large number of jails this way, by just adding jname {} to the jail.conf file.

Now, I would like to have a simple generic setup with pf filtering out unwanted ports from incoming traffic.

I tried this simplistic setup:
--
ext_if = "bnxt0"
int_if = "bnxt1"


block in on $ext_if


dns_servers = "{ 192.168.1.194, 1.2.3.9, 8.8.8.8, 1.1.1.1 }"


pass in on $ext_if proto { tcp udp } from $dns_servers to any port 53
pass in on $ext_if proto tcp from any to any port { 80 443 22 }
--

but nothing happens, everything is passed directly into the jail:

nc -l 4444   (inside the jail)

and I can just telnet 1.2.3.4 4444

I assume I'm doing some simple mistake here, but find very little information wrt the combo of netgraph, pf and jails. Any tips? I tried configuring pf to work  on the bridge interface but no difference. What am I missing here?

Palle