IPFW in the jail (alcatraz)

[laster13]

hi

I would like to activate IPFW in the jail. Is it possible?

Thanks

[Parkcomm]

Interesting question - you could probably do it with a vnet jail (it won't work on shared IP jail), although the brig has a limitation (that you can work around) and Nas4free only supports a single FIB.

What are you trying to achieve?

[laster13]

I am currently testing prelude-ids with Ossec. ossec recognizes natively ipfw to treat adverse ip but the following command gives me an error :

Code: Select all

ipfw : socket operation not permitted

[Parkcomm]

In TheBrig|Jail|Edit In jail allow: select allow raw sockets

Just a quick note - because you are just testing this looks OK but if you want this to go to production, IPFW (or any firewall) will be more secure configured on the host rather than a jail.

[laster13]

Thanks

Is it possible to install openvpn in vnet jail? I try but it doesn't work
i create tun0

Code: Select all

ifconfig create tun0

log

Code: Select all

 Oct 16 10:24:34 ipfw openvpn[3168]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Oct  4 2015
Oct 16 10:24:34 ipfw openvpn[3168]: library versions: OpenSSL 1.0.1p-freebsd 9 Jul 2015, LZO 2.09
Oct 16 10:24:42 ipfw openvpn[3214]: UDPv4 link local: [undef]
Oct 16 10:24:42 ipfw openvpn[3214]: UDPv4 link remote: [AF_INET]178.73.196.1:443
Oct 16 10:24:42 ipfw openvpn[3214]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Oct 16 10:24:43 ipfw openvpn[3214]: VERIFY OK: depth=1, C=GB, ST=LN, L=London, O=vpnsvc, OU=vpnsvc, CN=vpnsvc.com, name=vpnsvc, emailAddress=noc@vpnsvc.com
Oct 16 10:24:43 ipfw openvpn[3214]: VERIFY OK: nsCertType=SERVER
Oct 16 10:24:43 ipfw openvpn[3214]: VERIFY OK: depth=0, C=GB, ST=LN, L=London, O=vpnsvc, OU=vpnsvc, CN=vpnsvc, name=vpnsvc, emailAddress=noc@vpnsvc.com
Oct 16 10:24:44 ipfw openvpn[3214]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Oct 16 10:24:44 ipfw openvpn[3214]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 16 10:24:44 ipfw openvpn[3214]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Oct 16 10:24:44 ipfw openvpn[3214]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 16 10:24:44 ipfw openvpn[3214]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Oct 16 10:24:44 ipfw openvpn[3214]: [vpnsvc] Peer Connection Initiated with [AF_INET]178.73.196.1:443
Oct 16 10:24:47 ipfw openvpn[3214]: Cannot allocate TUN/TAP dev dynamically
Oct 16 10:24:47 ipfw openvpn[3214]: Exiting due to fatal error

[Parkcomm]

I don't know what happened there - but try this within the jail

Code: Select all

ifconfig tun create

I just tried it in my jail and it was created (no ide if actually works, but creation is fine)

Code: Select all

root@Breen:/ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair6b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:ff:b0:00:09:0b
	inet6 fe80::ff:b0ff:fe00:90b%epair6b prefixlen 64 scopeid 0x2 
	inet 192.168.5.27 netmask 0xffffff00 broadcast 192.168.5.255 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

However I'm not sure you will get OpenVPN to work - I've never tried so I don't really know. Have a look at this https://forums.freenas.org/index.php?th ... nat.22873/

[laster13]

hi

I succeded to activate IFPW with a vnet jail. I have also create a mount point NFS with a release DEBIAN in VM. when the vnet jail is activated the NFS doesn't work. have you an idee?

[alexey123]

ipwf not work within a jail - BECAUSE IT Jail , as prison


Also about mount antyhig with in a jail.

Jail's root user can mount only filesystems marked jail at output command

Code: Select all

lsvfs

But, if you really need use firewall or mount filesystem, you can do it from main server

See post about fail2ban within jail - fail2ban send request to main, wait_on (included to main system) check file, and script sent to maun kernel what you want

[laster13]

thanks but i have this result in a jail

nas4free: ~# jexec prelude csh
root@prelude:/ # ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65535 allow ip from any to any
root@prelude:/ #

root@prelude:/ # ipfw show
00001 1 40 deny ip from table(1) to any
00001 15 1618 deny ip from any to table(1)
00100 218 72744 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 deny ip from any to ::1
00500 0 0 deny ip from ::1 to any
00600 0 0 allow ipv6-icmp from :: to ff02::/16
00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 297 21388 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65535 10500 3921372 allow ip from any to any


and when OSSEC ban ip, i have :

root@prelude:/ # ipfw table all list
---table(1)---
77.51.73.91/32 0
85.95.218.81/32 0
root@prelude:/ #

/etc/hosts.allow

Code: Select all

#
# hosts.allow access control file for "tcp wrapped" applications.
# $FreeBSD: releng/10.1/etc/hosts.allow 161710 2006-08-29 09:20:48Z ru $
#
# NOTE: The hosts.deny file is deprecated.
#       Place both 'allow' and 'deny' rules in the hosts.allow file.
#	See hosts_options(5) for the format of this file.
#	hosts_access(5) no longer fully applies.

#	 _____                                      _          _
#	| ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
#	|  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
#	| |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
#	|_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
#					   |_|
# !!! This is an example! You will need to modify it for your specific
# !!! requirements!


# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny

# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny

# Allow anything from localhost.  Note that an IP address (not a host
# name) *MUST* be specified for rpcbind(8).
ALL : localhost 127.0.0.1 : allow
# Comment out next line if you build libwrap without IPv6 support.
ALL : [::1] : allow
#ALL : my.machine.example.com 192.0.2.35 : allow

# To use IPv6 addresses you must enclose them in []'s
#ALL : [fe80::%fxp0]/10 : allow
#ALL : [fe80::]/10 : deny
#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
#ALL : [2001:db8:2:1::]/64 : allow

# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
#sendmail : .nice.guy.example.com : allow
#sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow

# Exim is an alternative to sendmail, available in the ports tree
exim : localhost : allow
#exim : .nice.guy.example.com : allow
#exim : .evil.cracker.example.com : deny
exim : ALL : allow

# Rpcbind is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
rpcbind : ALL : deny

# NIS master server. Only local nets should have access
# (Since this is an RPC service, rpcbind needs to be considered)
ypserv : localhost : allow
#ypserv : .unsafe.my.net.example.com : deny
#ypserv : .my.net.example.com : allow
ypserv : ALL : deny

# Provide a small amount of protection for ftpd
ftpd : localhost : allow
#ftpd : .nice.guy.example.com : allow
#ftpd : .evil.cracker.example.com : deny
ftpd : ALL : allow

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
	: spawn (echo Finger. | \
	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
	: deny

# The rest of the daemons are protected.
ALL : ALL \
	: severity auth.info \
	: twist /bin/echo "You are not welcome to use %d from %h."
ALL : 183.147.230.111 : deny
ALL : 104.255.70.148 : deny
ALL : 78.108.101.18 : deny
ALL : 104.255.69.7 : deny
ALL : 104.255.69.7 : deny
ALL : 199.168.142.185 : deny
ALL : 199.168.137.217 : deny
ALL : 104.255.70.147 : deny
ALL : 199.168.142.185 : deny
ALL : 162.213.25.138 : deny
ALL : 199.168.142.185 : deny
ALL : 199.168.138.152 : deny
ALL : 104.255.69.7 : deny
ALL : 177.53.229.158 : deny
ALL : 192.69.89.131 : deny
ALL : 182.105.104.14 : deny
ALL : 162.213.25.143 : deny
ALL : 199.168.141.32 : deny
ALL : 104.255.70.130 : deny
ALL : 104.255.70.148 : deny
ALL : 104.193.11.192 : deny
ALL : 199.115.228.237 : deny
ALL : 104.255.69.7 : deny
ALL : 104.193.11.193 : deny
ALL : 104.193.9.254 : deny
ALL : 199.168.137.217 : deny
ALL : 199.115.228.235 : deny
ALL : 199.168.137.217 : deny
ALL : 104.255.70.131 : deny
ALL : 199.168.139.4 : deny
ALL : 199.168.141.32 : deny
ALL : 192.69.89.132 : deny
ALL : 104.255.69.7 : deny
ALL : 162.213.31.17 : deny
ALL : 199.168.142.185 : deny
ALL : 14.169.170.135 : deny
ALL : 199.168.139.4 : deny
ALL : 104.255.70.130 : deny
ALL : 104.255.69.7 : deny
ALL : 104.255.70.134 : deny
ALL : 104.255.70.146 : deny
ALL : 104.193.11.191 : deny
ALL : 199.168.141.32 : deny
ALL : 199.168.137.217 : deny
ALL : 199.168.139.9 : deny
ALL : 199.168.137.217 : deny
ALL : 104.255.69.7 : deny
ALL : 199.168.142.185 : deny
ALL : 199.19.105.14 : deny
ALL : 162.213.31.17 : deny
ALL : 104.255.69.7 : deny
ALL : 199.168.138.152 : deny
ALL : 199.168.137.217 : deny
ALL : 199.168.139.9 : deny
ALL : 104.255.69.7 : deny
ALL : 199.168.138.152 : deny
ALL : 199.115.228.237 : deny
ALL : 104.255.69.7 : deny
ALL : 104.255.70.146 : deny
ALL : 199.168.138.152 : deny
ALL : 199.19.105.11 : deny
ALL : 199.115.228.236 : deny
ALL : 104.255.70.130 : deny
ALL : 104.255.69.7 : deny
ALL : 104.255.71.23 : deny
ALL : 104.255.70.132 : deny
ALL : 115.192.62.234 : deny
ALL : 199.168.137.217 : deny
ALL : 104.255.69.7 : deny
ALL : 199.115.228.238 : deny
ALL : 162.213.31.17 : deny
ALL : 199.180.116.230 : deny
ALL : 104.255.69.7 : deny
ALL : 192.69.89.118 : deny
ALL : 104.255.69.7 : deny
ALL : 199.168.142.185 : deny
ALL : 123.30.150.171 : deny
ALL : 104.255.69.7 : deny
ALL : 199.115.228.237 : deny
ALL : 199.168.137.217 : deny
ALL : 162.213.25.143 : deny
ALL : 199.168.137.217 : deny
ALL : 199.168.142.185 : deny
ALL : 104.193.11.193 : deny
ALL : 104.193.11.191 : deny
ALL : 5.8.66.101 : deny
ALL : 192.69.89.134 : deny
ALL : 199.168.142.185 : deny
ALL : 104.255.71.23 : deny
ALL : 104.193.9.153 : deny
ALL : 162.213.25.143 : deny
ALL : 199.168.142.185 : deny
ALL : 104.255.69.7 : deny
ALL : 199.19.105.13 : deny
ALL : 199.168.138.152 : deny
ALL : 199.168.137.217 : deny
ALL : 199.168.137.217 : deny
ALL : 177.185.45.85 : deny
ALL : 199.168.139.8 : deny
ALL : 199.168.142.185 : deny
ALL : 218.72.50.170 : deny
ALL : 199.19.105.11 : deny
ALL : 162.213.31.17 : deny
ALL : 199.168.139.5 : deny

[Parkcomm]

ipwf not work within a jail - BECAUSE IT Jail , as prison

Maybe its more of a gulag - prisoners have to work in this prison