Niklaas Baudet von Gersdorff wrote:
Hi,In the manual I read the advice to disable the firewall on the loopback interface (`set skip on lo0`) It makes sense to me: Why would I want to firewall traffic on the loopback interface? I have jails with IPs assigned on lo1. Intentionally I do /not/ `set skip on lo1` because I also want to restrict traffic (in and out) from and to the jails. (In case one of them becomes infiltrated.) However, today I realized that some connections originating from these jails use the loopback interface lo0. That said, they "circumvent" the firewall I set on lo1. `tcpdump` shows connections on lo0 from and to jails' IPs (especially IPv6s) although these IPs are solely assigned to lo1. I was quite surprised by that behavior. So, if I want to isolate the jails and restrict traffic from an to them, will I need to remove skipping on lo0 and block there too? Any advice and explanation is very much appreciated. Niklaas
This bug report will answer your questions for non-vimage jails. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049 _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
