Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1)
Goran Mekić
meka at tilda.center
Tue Nov 7 18:26:48 UTC 2017
On Tue, Nov 07, 2017 at 04:43:48PM +0100, irukandji via freebsd-pf wrote:
> Hi Everyone,
>
> Problem: isolating jail away from internal network and host "hosting"
> it.
> Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE
> enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0),
> single network card on re0
>
> I am unable prevent jail accessing host (192.168.1.200) for any other
> ip it is working, i have configured VNET just to have separated stack
> but host is still accessible from jail.
>
> Am I missing something or this is just something that cant be
> accomplished using pf? I am banging my head to the wall with this issue
> for past few months going radical lately (kernel recompile ;) )
> but still without any result.
>
> Can PLEASE someone help me out?
>
> Regards,
> irukandji
I am not sure I understand the use case. Sounds to me like you would like to be hosting provider where bare metal machine is hosting other people's jails, and you don't want those people being able to access underlaying machine. Also, when you say "jail accessing host", does that mean over SSH or something else?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20171107/d4925cf6/attachment.sig>
More information about the freebsd-pf
mailing list