Re: how to make a non-vnet jail local only?

Wed, 05 Aug 2020 07:18:39 -0700 

Arthur Chance wrote:

On 05/08/2020 02:02, Ernie Luzar wrote:

I have non-vnet jails working that can reach the public internet.
But now I would like to make some local only non-vnet jails that can
only access other local only non-vnet jails. BY local meaning have no
access to the public internet.

How do I make this happen?

Thanks for any pointers.


Create a second loopback interface (cloned_interfaces="lo1" in
/etc/rc.conf or ifconfig lo1 create for manual control) and put the
local jails on lo1 without access to any other interface.



I tested this already and it doesn't work.
non-vnet jail with lo99 for the nic and ip address of 10.0.28.5 can still reach the public internet.
Also tested a non-vnet jail with re0 for the nic and ip address of 127.0.10.10 and it can NOT reach the public internet.
Created a second non-vnet jail with re0 for the nic and ip address of 127.0.10.11 and it can NOT reach the public internet. 

But these 2 jails can ping each other.
So the nic loX has nothing to do with limiting the non-vnet jail to local host access only. Based on the above 2 tests it looks like the 127.0.0.2 through 127.255.255.254 ip address range is the local host controlling factor.
Just to cover all the bases. The host firewall allows the lo0 interface to pass without any rules. The lo99 interface has no firewall rules at all or any NAT rules for 127.0.0.0/8. 10.0.0.0/8 is the only ip address range being NATed.
To see if 127.0.0.0/8 has some special internal limiting factor on it or if because the firewall does not NAT 127.0.0.0/8 is the cause of non-vnet jails not being able to reach the public internet.
So I created a 3rd non-vnet jail with re0 for the nic and ip address of 192.168.10.10 and made no changes to the firewall or NAT. This jail can NOT reach the public internet, but can ping the other 2 local only jails 127.0.10.10 and 127.0.10.11.
So the conclusion is that loX or 127.0.0.0/8 has nothing to do with being the controlling factor between local or public non-vnet jails. The real controlling factor is in the jails ip address being NATed or not. 

Can this conclusion be disputed?


_______________________________________________
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Reply via email to