guermantes
Patron
- Joined
- Sep 27, 2017
- Messages
- 213
Hi!
Getting ready to install my first plugin, I read a lot about it, and came across a thread chastising the software in question for by default, and in secret, accepting anonymous access from the entire internet (this was not necessarily in a Freenas context, so I don't know how relevant it was for Freenas, also it was addressed in an update, albeit not completely removed if I understand correctly).
However, it did get me thinking, as my trust in the Freenas team is much higher than my trust in random third-party devs whose software I may end up running in a jail.
So I figure I need to learn how to be in control over what can access the internet from a jail, and how to gauge if something is open for connections. I am learning Freenas/Freebsd from scratch, so one thing at a time; the first task I set for myself was to completely lock down a new jail so that nothing outbound is allowed (with a view to progressively opening up as needed).
I failed miserably at this task. I am able to disable DNS lookup so that I can't ping google.com, but if course this does not stop me from pinging their IP directly. I tried using the IPFW (firewall) by adding to my jail's /etc/rc.conf
How can I limit a jail to only communicate inside my LAN, but block it from going outside?
EDIT: is such a block not feasible to implement in the jail? Does it necessarily have to be done in the router?
Getting ready to install my first plugin, I read a lot about it, and came across a thread chastising the software in question for by default, and in secret, accepting anonymous access from the entire internet (this was not necessarily in a Freenas context, so I don't know how relevant it was for Freenas, also it was addressed in an update, albeit not completely removed if I understand correctly).
However, it did get me thinking, as my trust in the Freenas team is much higher than my trust in random third-party devs whose software I may end up running in a jail.
So I figure I need to learn how to be in control over what can access the internet from a jail, and how to gauge if something is open for connections. I am learning Freenas/Freebsd from scratch, so one thing at a time; the first task I set for myself was to completely lock down a new jail so that nothing outbound is allowed (with a view to progressively opening up as needed).
I failed miserably at this task. I am able to disable DNS lookup so that I can't ping google.com, but if course this does not stop me from pinging their IP directly. I tried using the IPFW (firewall) by adding to my jail's /etc/rc.conf
firewall_enable="YES"
and firewall_type="closed"
(also trient "client"
) but after restarting the jail this does nothing to prevent pinging out. And all I can find when searching online are people with the reverse problem, wanting to establish internet contact, not cutting it off.How can I limit a jail to only communicate inside my LAN, but block it from going outside?
EDIT: is such a block not feasible to implement in the jail? Does it necessarily have to be done in the router?
Last edited: