ipfw not blocking inter jail ip traffic
Steve Bertrand
steve at ibctech.ca
Sat Nov 21 14:07:55 UTC 2009
Peter wrote:
> iH,
>
> Have 2 jails and I don't want them to be able to reach other.
>
> gulag:#ifconfig em0
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
> ether 08:00:27:03:18:ea
> inet 172.20.6.50 netmask 0xffffff00 broadcast 172.20.6.255
> inet 172.20.6.209 netmask 0xffffff00 broadcast 172.20.6.255
> inet 172.20.6.211 netmask 0xffffff00 broadcast 172.20.6.255
>
> gulag:#ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 10000 deny ip from 172.20.6.209 to 172.20.6.211
> 10001 deny ip from 172.20.6.211 to 172.20.6.209
> 40000 deny ip from 172.20.6.209 to any
> 65000 allow ip from any to any
> 65535 deny ip from any to any
>
>
> The two jails [.209 and .211] can still ping each other.
> Even with rule 40000, the .209 jail can ping/ssh to the .211 jail, but of
> course cannot ping the gateway...
> If I remove rule '100' from the list, jails are no longer able to ping
> each other - Although the IPs are on em0, why is the rule with lo0 letting
> them pass?
Because, AFAIK, traffic that stays within the box never crosses the
external (ie: non-loopback) interface planes.
> Does lo0 mean ALL ips assigned to server? or does it mean
> loopback interface:
It means loopback interface. Essentially, all traffic that originates
and is destined to itself stays within the loopback.
Try this:
ipfw add 40000 deny all from 172.20.6.211 to 172.20.6.209 via lo0
The following would allow you block access from .211 to ANY other IP
(jail) on the box (I *think* it would still permit network destined
traffic):
ipfw add xxxx deny all from 172.20.6.211 to me
HTH,
Steve
More information about the freebsd-net
mailing list