# Jails - Limited Access to Network Resources



## Ryan0rZ (Feb 19, 2011)

Hi,

I'm setting up a server that will have two NICs and each NIC will exist on completely separate networks. One is on the Internet side, the other is on a private network not on the Internet. I want to create a jail on the Internet side that will basically have no knowledge of the private network's side. 

To accomplish this, I've created the jail and added pretty restrictive devfs rules. However, one thing I can't figure out is how to limit the Internet side's knowledge of the other interface.


```
jail# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:88:e6:24
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:88:e6:2e
        inet 192.168.0.10 netmask 0xffffffff broadcast 192.168.0.10
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
```

The jail's interface is em1. Ideally, I'd like it to not be able to see em0, but I can't figure out how to do it with devfs.rules. By allowing /dev/bpf and using tcpdump, I can verify that the jail currently has access to em0.

How do I limit my jail's access to em0? I'd prefer not to have to use pf/firewall rules if I can avoid it. There should be a way to do it with limiting devices.

Any help would be greatly appreciated.


----------



## Ryan0rZ (Feb 21, 2011)

I did a little more research into my problem. ifconfig calls the libc function getifaddrs which uses the sysctl interface. The sysctl interface returns a list of network devices. Dumping the sysctl settings, we can grep for the device name:


```
root@host:~ # sysctl -a | grep dev.em
dev.em.0.%desc: Intel(R) PRO/1000 Legacy Network Connection 1.0.1
dev.em.0.%driver: em
dev.em.0.%location: slot=1 function=0 handle=\_SB_.PCI0.P2P0.S2F0
dev.em.0.%pnpinfo: vendor=0x8086 device=0x100f subvendor=0x15ad subdevice=0x0750 class=0x020000
dev.em.0.%parent: pci2
dev.em.0.debug: -1
dev.em.0.stats: -1
dev.em.0.rx_int_delay: 0
dev.em.0.tx_int_delay: 66
dev.em.0.rx_abs_int_delay: 66
dev.em.0.tx_abs_int_delay: 66
dev.em.0.rx_processing_limit: 100
dev.em.0.wake: 0
dev.em.1.%desc: Intel(R) PRO/1000 Legacy Network Connection 1.0.1
dev.em.1.%driver: em
dev.em.1.%location: slot=2 function=0 handle=\_SB_.PCI0.P2P0.S3F0
dev.em.1.%pnpinfo: vendor=0x8086 device=0x100f subvendor=0x15ad subdevice=0x0750 class=0x020000
dev.em.1.%parent: pci2
dev.em.1.debug: -1
dev.em.1.stats: -1
dev.em.1.rx_int_delay: 0
dev.em.1.tx_int_delay: 66
dev.em.1.rx_abs_int_delay: 66
dev.em.1.tx_abs_int_delay: 66
dev.em.1.rx_processing_limit: 100
dev.em.1.wake: 0
```

Now, the question has been refined to: How can I filter the sysctl list being passed to the jail?

I'm not sure what I want to do is possible. Please correct me!


----------



## SirDice (Feb 21, 2011)

Ryan0rZ said:
			
		

> Now, the question has been refined to: How can I filter the sysctl list being passed to the jail?


You can't.


> I'm not sure what I want to do is possible. Please correct me!


Nope, not possible as far as I know.


----------



## Sacha (Oct 29, 2016)

Hello,

I'm making back alive again this old thread !

6 years after is there is any way to achieve this need ?


----------

