I did
some more reading and came across the
RestrictNetworkInterfaces
systemd unit setting. Could be very useful to restrict a jail to certain interfaces only.
Required kernel options are available on SCALE:
Code:
egrep '(CONFIG_BPF|CONFIG_BPF_SYSCALL|CONFIG_CGROUP_BPF)=' /boot/config-$(uname -r)
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_CGROUP_BPF=y
However on
TrueNAS SCALE (debian bookworm) systemd comes with the BPF_FRAMEWORK config disabled:
Code:
systemctl --version
systemd 252 (252.6-1)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
And it looks like the libbpf package is not installed either. Therefore the below doesn't work:
systemd-run -t -p RestrictNetworkInterfaces="lo" ping archlinux.org
This should fail if bpf is functional (but it still pings archlinux.org unfortunately). More
here.
But using the
IPAddressAllow systemd unit setting does work!
Now I can only access IP 8.8.8.8:
systemd-run -t -p IPAddressAllow=8.8.8.8 -p IPAddressDeny=any ping 8.8.8.8
Now I can only access IP 1.1.1.1 so ping to 8.8.8.8 fails:
systemd-run -t -p IPAddressAllow=1.1.1.1 -p IPAddressDeny=any ping 8.8.8.8
By adding these options to the jail config we can now restrict a jail to specific IP address (ranges):
systemd_run_default_args=-p IPAddressAllow=1.1.1.1 -p IPAddressDeny=any --property=KillMode=mixed --property=Type=notify [...]
But to take the
@skittlebrau syncthing example. I think you can use the
syncthing.service file as reference and start it directly on the SCALE host using systemd-run (with the corresponding options taken from the .service file). You can then add the
-p IPAddressAllow=
and
-p IPAddressDeny=
options to restrict syncthing access to your management VLAN. No need to use a jail. But as indicated above it looks like you can even restrict an entire jail to certain IP ranges, and it would apply to all processes (including synching) running inside it...