# FreeBSD 10 + jail + bridge + tap problem to isolate jail



## clementj (Oct 5, 2014)

Hi everybody.

I searched a lot on this forum and the net because I am blocked by a problem to isolate my jails.  I can explain my problem like this, i would like to create different virtual interface and bridge them with some groups with if_bridge.

I like isolate and accept/reject everything inside my local server before going out, I like doing this with pf() after but I don't know which method I can use to do this with the better way (tap or epair, or ?). My pf.conf block nothing from inside but do nothing to (no rdr, no pass for the moment) (just block from external) , and when I use ifconfig() from my jail "services" I can see every bridge and interface.

My goal is do not using virtual loopback or alias because I would like to keep control with clean rules after with pf().

My rc.conf:

```
ifconfig_xn0="inet 41.1.1.1 netmask 255.255.255.0"
ifconfig_xn0_alias0="41.1.1.2 netmask 255.255.255.255"
defaultrouter="41.1.1.254"

gateway_enable="YES"
ipv6_gateway_enable="NO"

cloned_interfaces="bridge1 tap11 tap12 tap13 \
                   bridge2 tap21 tap22 tap23 "

ifconfig_bridge1="addm tap11 addm tap12 addm tap13 up"
ifconfig_bridge1_alias0="inet 10.0.1.254 netmask 255.255.255.0"
ifconfig_tap11="inet 10.0.1.1 netmask 255.255.255.0"            # jail1
ifconfig_tap12="inet 10.0.1.2 netmask 255.255.255.0"            # jail2
ifconfig_tap13="inet 10.0.1.3 netmask 255.255.255.0"            # jail3

ifconfig_bridge2="addm tap21 addm tap22 addm tap23 up"
ifconfig_bridge2_alias0="inet 10.0.2.254 netmask 255.255.255.0"
ifconfig_tap21="inet 10.0.2.1 netmask 255.255.255.0"            # jail4
ifconfig_tap22="inet 10.0.2.2 netmask 255.255.255.0"            # jail5
ifconfig_tap23="inet 10.0.2.3 netmask 255.255.255.0"            # jail6

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_program="/sbin/pfctl"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_program="/sbin/pflogd"
pflog_flags=""

kern_securelevel_enable="NO"
kern_securelevel="1"

sshd_enable="YES"
qjail_enable="YES"
```

My /etc/pf.conf:

```
IF_MYSERVER               = "xn0"
 IP1_MYSERVER                     = "41.1.1.1"
 IP2_MYSERVER                     = "41.1.1.2"

 DMZ_1                                   = "10.0.1.0"
 BR_DMZ_1                            = "bridge1"
 MYSERVER_DMZ_1               = "10.0.1.254"
 TAP_NS1_DMZ_1                   = "tap11"
 NS1_DMZ_1                           = "10.0.1.1"
 TAP_MX1_DMZ_1                  = "tap12"
 MX1_DMZ_1                          = "10.0.1.2"
 TAP_JAB_DMZ_1                   = "tap13"
 JAB_DMZ_1                           = "10.0.1.3"

 LOCAL_2                               = "10.0.2.0"
 BR_LOCAL_2                         = "bridge2"
 MYSERVER_LOCAL_2           = "10.0.2.254"
 TAP_SERVICES_LOCAL_2     = "tap21"
 SERVICES_LOCAL_2             = "10.0.2.1"
 TAP_PROXY_LOCAL_2          = "tap22"
 PROXY_LOCAL_2                  = "10.0.2.2"
 TAP_LOG_LOCAL_2              = "tap23"
 LOG_LOCAL_2                      = "10.0.2.3"

set skip on lo0
### $IF_EXT default block with drop
 block drop in log on $MYSERVER
 pass out log on $MYSERVER inet proto tcp  from ($MYSERVER) to !($MYSERVER)
 pass out log on $MYSERVER inet proto udp  from ($MYSERVER) to !($MYSERVER)
 pass out log on $MYSERVER inet proto icmp from ($MYSERVER) to !($MYSERVER)
```
I create my jail on 
	
	



```
tap21
```
 like this:
`# qjail create -n bridge2 -4 "tap21|10.0.2.1" "services_local_2"`
and also try to unalias the "qjail auto-alias" because its unnecessary on NIC with :
`# qjail config -c null services_local_2`
When I enter on this jail I can see the other bridges and interface by `ifconfig`.  I try many many possibilities with qjail but nothing help me for my way.

In different websites, I see some guys use  bridge+epair instead of bridge+tap but nothing changes. I know my problem is a little confusing but if you understand what is my goal could you explain me which is the most "robust" and "production ready" method to isolate different interfaces and bridges to manage them by pf() nicely after ;-)

I am sorry for my poor English, I try again and watch your advice.  Thanks a lot guys.


----------

