Re: IPFW2 logging inside VIMAGE Jails?

Tue, 21 Apr 2015 05:59:02 -0700 

Kai Gallasch wrote:

Hi.

Is it possible at all to log actions of IPFW
firewall inside a running vnet/VIMAGE jail to the vnet/VIMAGE jail's syslog?


NO. Not at this time.



I'm asking, because I see no firewall log entries inside the jail's
/var/log/security log.

What I find is, that log messages of jails with active IPFW rules are
only logged on the jailhost (/var/log/security) - out of reach of any
local jail admins..
My kernel is built without firewall support. The ipfw.ko is loaded 
dynamically when the server starts. No PF firewall is in use.


Compiling IPFW into the hosts kernel makes no difference either.



- FreeBSD 10.1-RELEASE-p9
- /dev/bpf available inside jails
- firewall logging enabled on the jailhost and also inside the jail

I found https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=178482 (2
years old, FreeBSD 9.1 related)

Cheers,
Kai.
As PR# 178482 shows this bug has not been addressed in over 2 years and your recent testing shows this bug is still present in the current production RELEASE 10.1 of FreeBSD.
In a nut shell, VIMAGE is experimental, IPFW was only made vimage aware enough so it would not cause the host to abend. IPFW and vimage still don't integrate correctly.
The fact that IPFW can run on a host kernel with vimage compiled in and also in a vnet jail at the same time with out blowing up DOESN'T mean that IPFW is really functioning correctly in a vnet jail. The fact that vnet/jail IPFW log messages are being written to the host's IPFW log message file strongly indicates IPFW in a vnet jail is insecure and violates the whole purpose of jail security. To me this is a major show stopper to using vnet/vimage jails at all.
Adding a comment to PR# 178482 saying this reported problem is still present in RELEASE 10.1 is about all you can do, next to you finding and correcting the bug in IPFW/vimage yourself. Good luck with that. 








_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Reply via email to