jmg
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
107 Commits
1 Branch
4.6 MiB
 
 
 
 
Branch: main
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'main'
${ noResults }
blog/content/posts/isolated-ip-management.html

166 lines
6.0 KiB
Raw Permalink Blame History 

  1. ---

  2. title: Isolated IP Management

  3. description: >

  4.   For routers, a management interface should always work, even if the

  5.   firewall is broken, or the IP address conflicts with other interfaces.

  6.   Isolating the interface to a vnet jail and using unix domain sockets fixes

  7.   this problem.

  8. posted: !!timestamp '2023-08-17'

  9. created: !!timestamp '2023-08-17'

  10. time: 12:00 PM

  11. tags:

  12.   - FreeBSD

  13.   - jails

  14. ---

  15. 

  16. The latest iteration of my home firewall has a spare interface.  Many

  17. switches these days have a dedicated management interface, and I wanted

  18. something similar for my firewall.  I want an interface that I can plug in,

  19. get an IP via DHCP, and I can ssh into and it'll "just work" even if

  20. there's a misconfiguration, or an IP conflict.

  21. 

  22. On FreeBSD,

  23. [vnet jails](https://wiki.freebsd.org/Jails#VNET-based_networking_for_Jails)

  24. are a way to isolate an interface such that it won't interfere (or receive

  25. interference) from other interfaces.  Some may have just used epair and

  26. assigned IPs, but this could cause conflict, while using a unix domain

  27. socket keeps things isolated, and FreeBSD ships w/ everything needed to

  28. make this work.  A package like `socat` isn't needed.

  29. 

  30. Configuring the host was straight forward, make a directory for the socket:

  31. ```

  32. mkdir /var/mgmt

  33. ```

  34. 

  35. And then add a line to `/etc/inetd.conf` to listen to incoming connections

  36. on the socket and launch `sshd`:

  37. ```

  38. /var/mgmt/mgmt.ssh.sock stream  unix    nowait  root    /usr/sbin/sshd  sshd -i

  39. ```

  40. 

  41. The `-i` option to `sshd` tells it to run in "`inetd`" mode, which means that

  42. the stdin and stdout of the process is the socket to use for communication.

  43. 

  44. The next harder part was getting a jail configured that would accept

  45. incoming connections and forward them to the unix domain socket.

  46. 

  47. First the jail configuration, which goes in `/etc/jail.conf` or similar

  48. location:

  49. ```

  50. mgmt {

  51.         host.hostname = mgmt;                           # Hostname

  52. 

  53.         vnet ="new";

  54.         vnet.interface="mgmt0";

  55. 

  56.         path = "/usr/jails/mgmt/root";                   # Path to the jail

  57.         mount.fstab="/usr/jails/mgmt/fstab";             # mount spec

  58. 

  59.         mount.devfs;                                    # Mount devfs inside the jail

  60.         devfs_ruleset = "101";

  61. 

  62.         exec.start = "/bin/sh /etc/rc";                 # Start command

  63.         exec.stop = "/bin/sh /etc/rc.shutdown";         # Stop command

  64. }

  65. ```

  66. 

  67. There isn't anything special in this.  It's pretty standard jail

  68. configuration, the differences are the vnet configuration, and the

  69. `devfs_ruleset`.

  70. 

  71. The `devfs_ruleset` is necessary in order to expose the bpf interface

  72. used by dhclient.  This required the following lines in `/etc/devfs.rules`:

  73. ```

  74. [mydevfsrules_jail=100]

  75. add include $devfsrules_hide_all

  76. add include $devfsrules_unhide_basic

  77. add include $devfsrules_unhide_login

  78. 

  79. [devfsrules_jail_dhcp=101]

  80. add include $mydevfsrules_jail

  81. add path 'bpf*' unhide

  82. ```

  83. 

  84. Note that after adding the above lines, you need to run:

  85. ```

  86. service devfs start

  87. ```

  88. to load the rules (per

  89. [devfs(8)](https://man.freebsd.org/cgi/man.cgi?query=devfs&apropos=0&sektion=8&manpath=FreeBSD+13.2-RELEASE+and+Ports&arch=default&format=html)

  90. man page).

  91. 

  92. Note: I learned my mistake not to number my blocks immediately after

  93. the standard defaults (from `/etc/defaults/devfs.rules`).  I had done that

  94. befure but there's now a conflict, so I skip ahead a bit to get a unique range.

  95. 

  96. Now I needed to make a number of directories for the jail:

  97. ```

  98. mkdir -p /usr/jails/mgmt/root

  99. mkdir -p /usr/jails/mgmt/etc

  100. mkdir -p /usr/jails/mgmt/var/mgmt

  101. mkdir -p /usr/jails/mgmt/tmp

  102. ```

  103. 

  104. I needed to setup the `fstab` for the jail:

  105. ```

  106. # Device                Mountpoint      FStype  Options         Dump    Pass#

  107. /                       /usr/jail/mgmt/root     nullfs  ro      0       0

  108. /usr/jail/mgmt/etc      /usr/jail/mgmt/root/etc nullfs  rw      0       0

  109. /usr/jail/mgmt/var      /usr/jail/mgmt/root/var nullfs  rw      0       0

  110. /var/mgmt               /usr/jail/mgmt/root/var/mgmt    nullfs  ro      0       0

  111. /usr/jail/mgmt/tmp      /usr/jail/mgmt/root/tmp nullfs  rw      0       0

  112. ```

  113. 

  114. This is a little bit more tricky, It first `nullfs` mounts the root system.

  115. I'm using ZFS boot environments, so this is a pretty clean FreeBSD install

  116. without much host specific data.  It then mounts some jail specific directories

  117. for `etc`, `tmp` and `var` and finally mounts the shared directory w/ the

  118. unix domain socket to the host system.  Also note that a couple of the mounts

  119. are read-only to prevent the jail from modifying the system.

  120. 

  121. The `etc` directory was populated from the system `etc` via:

  122. ```

  123. tar -cf - -C /etc . | tar -xf - -C /usr/jails/mgmt/etc

  124. ```

  125. 

  126. Then the jail was configured, first `/usr/jails/mgmt/etc/rc.conf`:

  127. ```

  128. hostname="mgmt.funkthat.com"

  129. 

  130. sendmail_enable="NONE"

  131. sendmail_submit_enable="NO"

  132. sendmail_outbound_enable="NO"

  133. sendmail_msp_queue_enable="NO"

  134. 

  135. # Management port

  136. ifconfig_mgmt0="DHCP"

  137. 

  138. # necessary as devd can't be run in a jail

  139. synchronous_dhclient="YES"

  140. 

  141. inetd_enable="YES"              # Run the network daemon dispatcher (YES/NO).

  142. ```

  143. 

  144. The key part of this configuration that took me a while to figure out was

  145. the `synchronous_dhclient` line.  It used to be that `netif` would start

  146. dhclient, but in order to better handle USB ethernet devices and other

  147. removable interfaces, it was moved to `devd`.  The only problem is that

  148. `devd` hasn't been jail'ified, and you can't run it to get things like

  149. link notifications that would normally launch dhclient.  Setting this to

  150. yes, makes sure it gets launched when the jail starts.

  151. 

  152. And then the following line was added to `/usr/jails/mgmt/etc/inetd.conf`:

  153. ```

  154. ssh     stream  tcp     nowait  root    /usr/bin/nc     nc -N -U /var/mgmt/mgmt.ssh.sock

  155. ```

  156. 

  157. This is the part that will forward incoming connections to the ssh port

  158. on to the unix domain socket.

  159. 

  160. Now that everything is configured, a simple `jail -c mgmt` will get

  161. the jail running and accepting connections.

  162. 

  163. This was testing and deployed on a FreeBSD 14-CURRENT build as of August

  164. 8th, 2023, or more specifically, from `main-n264621-09c20a29328`, but it

  165. should work on all currently supported FreeBSD releases.