girgen@
Developer
FreeBSD-14.1
I have a rather simple setup with jails using netgraph (using the `/usr/share/examples/jails/jng` script and "model").
The host machine has two interfaces:
jail.conf:
which creates a single jail `fw'.
/jails/fw/etc/rc.conf:
I plan to create a reasonably large number of jails this way, by just adding
Now, I would like to have a simple generic setup with pf filtering out unwanted ports from incoming traffic.
I tried this simplistic setup:
but nothing happens, everything is passed directly into the jail:
I have a rather simple setup with jails using netgraph (using the `/usr/share/examples/jails/jng` script and "model").
The host machine has two interfaces:
bnxt0: (external, has no IP#)
bnxt1: 192.168.1.79/24
jail.conf:
Code:
host.hostname = "$name.example.com"; # hostname
path = "/jails/$name";
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
vnet;
# netgraph
vnet.interface = ng0_$name, ng1_$name; # vnet interface(s)
exec.prestart += "jng bridge $name bnxt0 bnxt1"; # bridge interface(s)
exec.poststop += "jng shutdown $name"; # destroy interface(s)
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.consolelog = "/var/log/jail_$name.log";
mount.devfs; # mount devfs
mount.fdescfs;
devfs_ruleset=5;
allow.mlock=1;
mount.fstab="/etc/fstab.$name";
fw {}
which creates a single jail `fw'.
/jails/fw/etc/rc.conf:
hostname=fw.example.com
ifconfig_ng0_fw="inet 1.2.3.4/26"
ifconfig_ng1_fw="inet 192.168.1.212/24"
defaultrouter="1.2.3.1"
sshd_enable="yes"
Code:
$ sudo ngctl list
There are 8 total nodes:
Name: ngctl69965 Type: socket ID: 00000021 Num hooks: 0
Name: bnxt0 Type: ether ID: 00000001 Num hooks: 2
Name: bnxt1 Type: ether ID: 00000002 Num hooks: 2
Name: ue0 Type: ether ID: 00000003 Num hooks: 0
Name: bnxt0bridge Type: bridge ID: 00000009 Num hooks: 3
Name: ng0_fw Type: eiface ID: 0000000e Num hooks: 1
Name: bnxt1bridge Type: bridge ID: 00000016 Num hooks: 3
Name: ng1_fw Type: eiface ID: 0000001b Num hooks: 1
I plan to create a reasonably large number of jails this way, by just adding
jname {}
to the jail.conf file.Now, I would like to have a simple generic setup with pf filtering out unwanted ports from incoming traffic.
I tried this simplistic setup:
Code:
ext_if = "bnxt0"
int_if = "bnxt1"
block in on $ext_if
dns_servers = "{ 192.168.1.194, 1.2.3.9, 8.8.8.8, 1.1.1.1 }"
pass in on $ext_if proto { tcp udp } from $dns_servers to any port 53
pass in on $ext_if proto tcp from any to any port { 80 443 22 }
but nothing happens, everything is passed directly into the jail:
nc -l 4444
|/CODE]
and I can just telnet 1.2.3.4 4444
I assume I'm doing some simple mistake here, but find very little information wrt the combo of netgraph, pf and jails. Any tips? I tried configuring pf to work on the bridge interface but no difference.