Re: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1)

2017-11-08 Thread Sami Halabi 
Hi,
To completly isolate specific jail come to my mind the following solution:
1. use vimage.
2. setup 1 broker jail - that jail will have ipfw (or pf if but i recall it
have several bugs and kerbel panics ) with nat, will have 2 nics of 2
different epairs, one to the host and other to the isolated jail aka
'private lan'. you should nat all traffic from the nic with the isolated
jail to the world, and block access to your own networks all restrictions
you want.
3. setup your jail with the epair nic from the broker 'lan' jail.

just an idea.

Sami

בתאריך 8 בנוב׳ 2017 04:39 PM,‏ "Kristof Provost"  כתב:

> On 7 Nov 2017, at 23:43, irukandji via freebsd-pf wrote:
> > Hi Everyone,
> >
> > Problem: isolating jail away from internal network and host "hosting"
> > it.
> > Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE
> > enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0),
> > single network card on re0
> >
> Can you show how you’ve started the jail and configured the network setup?
> Are you running a vnet jail?
>
> > I am unable prevent jail accessing host (192.168.1.200) for any other
> > ip it is working, i have configured VNET just to have separated stack
> > but host is still accessible from jail.
> >
> What pf rules do you have?
>
> > Am I missing something or this is just something that cant be
> > accomplished using pf? I am banging my head to the wall with this issue
> > for past few months going radical lately (kernel recompile ;) )
> > but still without any result.
> >
> It should be possible to do this, but there’s a lot of ways to set this up.
>
> Also bear in mind that VIMAGE was experimental in 11.1. There are several
> important bugs that are not fixed in 11.1 (but are fixed in CURRENT),
> especially in combination with pf.
>
> Regards,
> Kristof
> ___
> freebsd-pf@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1)

2017-11-08 Thread Kristof Provost 
On 7 Nov 2017, at 23:43, irukandji via freebsd-pf wrote:
> Hi Everyone,
>
> Problem: isolating jail away from internal network and host "hosting"
> it.
> Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE
> enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0),
> single network card on re0
>
Can you show how you’ve started the jail and configured the network setup?
Are you running a vnet jail?

> I am unable prevent jail accessing host (192.168.1.200) for any other
> ip it is working, i have configured VNET just to have separated stack
> but host is still accessible from jail.
>
What pf rules do you have?

> Am I missing something or this is just something that cant be
> accomplished using pf? I am banging my head to the wall with this issue
> for past few months going radical lately (kernel recompile ;) )
> but still without any result.
>
It should be possible to do this, but there’s a lot of ways to set this up.

Also bear in mind that VIMAGE was experimental in 11.1. There are several
important bugs that are not fixed in 11.1 (but are fixed in CURRENT),
especially in combination with pf.

Regards,
Kristof
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: Jail isolation from internal network and host (pf, vnet (vimage), freebsd 11.1)

2017-11-08 Thread irukandji via freebsd-pf 
The use case is to completely isolate jail from the environment for
running a honeypot, i can pf filter the traffic coming from jail
to the internal network but the freebsd server that is running the
jails (here as "host"), can be accessed from jail using its ip. I have
tried various methods of configuring jails / pf finally even
recompiling the kernel for vimage/vnet support but the problem stays.

If i execute tcpdump -i vnet0:3 i can see the traffic flowing from jail
ip to host but once i set up rule for blocking it, like:
block quick on vnet0:3 all

...it doesnt work, the traffic passes as there would be no pf. I am
missing something but i have no clue what...

Thank you.



On tor, 2017-11-07 at 19:18 +0100, Goran Mekić wrote:
> > On Tue, Nov 07, 2017 at 04:43:48PM +0100, irukandji via freebsd-pf
wrote:
> > Hi Everyone,
> > 
> > > > Problem: isolating jail away from internal network and host
"hosting"
> > it.
> > Environment: jail with 192.168.1.100, host 192.168.1.200, VIMAGE
> > enabled kernel, VNET (vnet0:JID) over bridge interface (bridge0),
> > single network card on re0
> > 
> > > > I am unable prevent jail accessing host (192.168.1.200) for any
other
> > > > ip it is working, i have configured VNET just to have separated
stack
> > but host is still accessible from jail.
> > 
> > Am I missing something or this is just something that cant be
> > > > accomplished using pf? I am banging my head to the wall with this
issue
> > for past few months going radical lately (kernel recompile ;) )
> > but still without any result.
> > 
> > Can PLEASE someone help me out?
> > 
> > Regards,
> > irukandji
> 
> > > > > I am not sure I understand the use case. Sounds to me like you would
like to be hosting provider where bare metal machine is hosting other
people's jails, and you don't want those people being able to access
underlaying machine. Also, when you say "jail accessing host", does
that mean over SSH or something else?
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"