vnet jail for local only or public access

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

vnet jail for local only or public access

Ernie Luzar
Trying to figure out how to configure a vnet jail so it is restricted to
only being able to talk to other vnet jails on the same host IE: local
only vnet jails. As different to being able to access the public
internet type of vnet jails.

Using the bridge/epair method of connecting vnet jails to the host.
[ based on this how-to ]
https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071/

It's my understanding that this behavior is controlled by if the hosts
interface connected to the public internet is added as a member to the
bridge the vnet jails epairXa interfaces were members of.

I tested this on a remote vm and found that it made no difference one
way or the other if the hosts interface connected to the public internet
was added as a member to the bridge or not. In both cases the vnet jail
had public internet access.

On my home server I set up this scenario and observed the same behavior.

This behavior raises some questions.

Is it technically possible to segregate vnet jails into groups of vnet
jails that are restricted to local host only access and another group
that has public access?

If so what is the mechanism that controls this ability?

If I wanted both local only and public vnet jails on the same host I
would think each group would need its own bridge. Where do we go from there?

Is my understanding correct and this is a bug in if_bridge?



_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: vnet jail for local only or public access

freebsd-jail mailing list
Quoting Ernie Luzar <[hidden email]> (from Fri, 17 Jul 2020  
08:46:07 -0400):

> Trying to figure out how to configure a vnet jail so it is  
> restricted to only being able to talk to other vnet jails on the  
> same host IE: local only vnet jails. As different to being able to  
> access the public internet type of vnet jails.
>
> Using the bridge/epair method of connecting vnet jails to the host.
> [ based on this how-to ]
> https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071/
>
> It's my understanding that this behavior is controlled by if the  
> hosts interface connected to the public internet is added as a  
> member to the bridge the vnet jails epairXa interfaces were members  
> of.
Partly correct. You can also have a setup where your host is routing  
between what you call the public internet and the local only vnets.

> I tested this on a remote vm and found that it made no difference  
> one way or the other if the hosts interface connected to the public  
> internet was added as a member to the bridge or not. In both cases  
> the vnet jail had public internet access.

It shouldn't, if there is no routing involved.

Please show us "ifconfig -a" and "netstat -rn" of the host.

Bye,
Alexander.

--
http://www.Leidinger.net [hidden email]: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    [hidden email]  : PGP 0x8F31830F9F2772BF

attachment0 (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: vnet jail for local only or public access

Ernie Luzar
Alexander Leidinger wrote:

> Quoting Ernie Luzar <[hidden email]> (from Fri, 17 Jul 2020 08:46:07
> -0400):
>
>> Trying to figure out how to configure a vnet jail so it is restricted
>> to only being able to talk to other vnet jails on the same host IE:
>> local only vnet jails. As different to being able to access the public
>> internet type of vnet jails.
>>
>> Using the bridge/epair method of connecting vnet jails to the host.
>> [ based on this how-to ]
>> https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071/ 
>>
>>
>> It's my understanding that this behavior is controlled by if the hosts
>> interface connected to the public internet is added as a member to the
>> bridge the vnet jails epairXa interfaces were members of.
>
> Partly correct. You can also have a setup where your host is routing
> between what you call the public internet and the local only vnets.
>
>> I tested this on a remote vm and found that it made no difference one
>> way or the other if the hosts interface connected to the public
>> internet was added as a member to the bridge or not. In both cases the
>> vnet jail had public internet access.
>
> It shouldn't, if there is no routing involved.
>
> Please show us "ifconfig -a" and "netstat -rn" of the host.
>
> Bye,
> Alexander.
>

root >netstat -rn4
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            65.25.48.1         UGS         re0
10.0.0.0/8         link#1             U           em0
10.0.10.2          link#1             UHS         lo0
10.0.20.0/24       link#5             U      bridge10
10.0.20.2          link#5             UHS         lo0
xxx.25.48.0/20     link#2             U           re0
xxx.25.51.0        link#2             UHS         lo0
127.0.0.1          link#3             UH          lo0
/root >
/root >ifconfig -a
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER>
        ether d0:50:99:93:75:98
        inet 10.0.10.2 netmask 0xff000000 broadcast 10.255.255.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 50:3e:aa:06:11:22
        inet xxx.25.51.0 netmask 0xfffff000 broadcast 255.255.255.255
        media: Ethernet autoselect (1000baseT <full-duplex,master>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
mtu 1500
        description: qjail-vnet-jail-only-bridge
        ether 02:3e:ba:a7:58:0a
        inet 10.0.20.2 netmask 0xffffff00 broadcast 255.255.255.0
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epair4a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 6 priority 128 path cost 2000
        groups: bridge
        nd6 options=1<PERFORMNUD>
epair4a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
        description: qjail-vnet-jail-dir10
        options=8<VLAN_MTU>
        ether 02:f6:61:9a:b4:0a
        inet6 fe80::f6:61ff:fe9a:b40a%epair4a prefixlen 64 scopeid 0x6
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


Vnet jail can ping the public internet.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: vnet jail for local only or public access

freebsd-jail mailing list
Quoting Ernie Luzar <[hidden email]> (from Fri, 17 Jul 2020  
16:31:53 -0400):

> Alexander Leidinger wrote:
>> Quoting Ernie Luzar <[hidden email]> (from Fri, 17 Jul 2020  
>> 08:46:07 -0400):
>>
>>> Trying to figure out how to configure a vnet jail so it is  
>>> restricted to only being able to talk to other vnet jails on the  
>>> same host IE: local only vnet jails. As different to being able to  
>>> access the public internet type of vnet jails.
>>>
>>> Using the bridge/epair method of connecting vnet jails to the host.
>>> [ based on this how-to ]
>>> https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071/ It's my understanding that this behavior is controlled by if the hosts interface connected to the public internet is added as a member to the bridge the vnet jails epairXa interfaces were members  
>>> of.
>>
>> Partly correct. You can also have a setup where your host is  
>> routing between what you call the public internet and the local  
>> only vnets.
>>
>>> I tested this on a remote vm and found that it made no difference  
>>> one way or the other if the hosts interface connected to the  
>>> public internet was added as a member to the bridge or not. In  
>>> both cases the vnet jail had public internet access.
>>
>> It shouldn't, if there is no routing involved.
>>
>> Please show us "ifconfig -a" and "netstat -rn" of the host.
>>
>> Bye,
>> Alexander.
>>
>
> root >netstat -rn4
> Routing tables
>
> Internet:
> Destination        Gateway            Flags     Netif Expire
> default            65.25.48.1         UGS         re0
> 10.0.0.0/8         link#1             U           em0
> 10.0.10.2          link#1             UHS         lo0
> 10.0.20.0/24       link#5             U      bridge10
You have a routing table entry for the bridge on the host.

> 10.0.20.2          link#5             UHS         lo0
> xxx.25.48.0/20     link#2             U           re0
> xxx.25.51.0        link#2             UHS         lo0
> 127.0.0.1          link#3             UH          lo0
> /root >
> /root >ifconfig -a

> bridge10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric  
> 0 mtu 1500
> description: qjail-vnet-jail-only-bridge
> ether 02:3e:ba:a7:58:0a
> inet 10.0.20.2 netmask 0xffffff00 broadcast 255.255.255.0
> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> member: epair4a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>        ifmaxaddr 0 port 6 priority 128 path cost 2000
> groups: bridge
> nd6 options=1<PERFORMNUD>
Your bridge has an IP address.

Both together: I suspect your host is routing between your jail and  
the outside.

If you remove the IP address from the bridge, you should have a  
jails-on-the-bridge-only setup.

Bye,
Alexander.

--
http://www.Leidinger.net [hidden email]: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    [hidden email]  : PGP 0x8F31830F9F2772BF

attachment0 (836 bytes) Download Attachment