how to make a non-vnet jail local only?
Ernie Luzar
luzar722 at gmail.com
Wed Aug 5 14:17:39 UTC 2020
Arthur Chance wrote:
> On 05/08/2020 02:02, Ernie Luzar wrote:
>> I have non-vnet jails working that can reach the public internet.
>> But now I would like to make some local only non-vnet jails that can
>> only access other local only non-vnet jails. BY local meaning have no
>> access to the public internet.
>>
>> How do I make this happen?
>>
>> Thanks for any pointers.
>
> Create a second loopback interface (cloned_interfaces="lo1" in
> /etc/rc.conf or ifconfig lo1 create for manual control) and put the
> local jails on lo1 without access to any other interface.
>
I tested this already and it doesn't work.
non-vnet jail with lo99 for the nic and ip address of 10.0.28.5 can
still reach the public internet.
Also tested a non-vnet jail with re0 for the nic and ip address of
127.0.10.10 and it can NOT reach the public internet.
Created a second non-vnet jail with re0 for the nic and ip address of
127.0.10.11 and it can NOT reach the public internet.
But these 2 jails can ping each other.
So the nic loX has nothing to do with limiting the non-vnet jail to
local host access only. Based on the above 2 tests it looks like the
127.0.0.2 through 127.255.255.254 ip address range is the local host
controlling factor.
Just to cover all the bases. The host firewall allows the lo0 interface
to pass without any rules. The lo99 interface has no firewall rules at
all or any NAT rules for 127.0.0.0/8. 10.0.0.0/8 is the only ip address
range being NATed.
To see if 127.0.0.0/8 has some special internal limiting factor on it or
if because the firewall does not NAT 127.0.0.0/8 is the cause of
non-vnet jails not being able to reach the public internet.
So I created a 3rd non-vnet jail with re0 for the nic and ip address of
192.168.10.10 and made no changes to the firewall or NAT. This jail can
NOT reach the public internet, but can ping the other 2 local only jails
127.0.10.10 and 127.0.10.11.
So the conclusion is that loX or 127.0.0.0/8 has nothing to do with
being the controlling factor between local or public non-vnet jails. The
real controlling factor is in the jails ip address being NATed or not.
Can this conclusion be disputed?
More information about the freebsd-jail
mailing list