Jails in a separate network

[Jelmer]

Hello All,

I've been using FreeNAS for a year or two now, and am verry happy with it. Recently I've moved from using a VM to a harware box that meets the recommended specs (I think). I'm now running on a an homebuilt intel I3 system with 16GB RAM and three 2TB WD Green drives in RaidZ.

So I'm looking into the possibility of sharing some stuff over the internet. I don't like putting my stuff in a third party managed cloud so I'd like to take a look at the owncloud plugin.

My network has several zones, separated by a firewall.
-Internet
-DMZ (internet accessible stuff)
-LAN (Freenas is here)

So the nice thing about jails, is that they are completely seperated from the rest of the system. Since I'm going to allow access from the internet, that's very important. I'd really like to have the same separation on the network side of things. However, when a jail is created, It automatically assumes that you want to bridge it to the interface that has your default route. To me that makes no sense, since the system inside the jail basically has nothing to do with the default route of the host system, it can have it's own default route. Is there any way of working around this limitation? I'm not afraid of using the cli, but I do like my changes to be persisten acros reboots.

 

[Yatti420]

So all internet enabled gear is within the DMZ? You should be able to setup jails segregated.. Have you tried making the appropriate changes from jail GUI? Probably going to require the CLI..

 

[Jelmer]

So all internet enabled gear is within the DMZ?

No, you can access the internet from the LAN zone also. But when I want to make something reachable from the internet (incomming connections) it's in the DMZ. For example my anti spam gateway is in the dmz.

I'm using FreeNAS 9.2.1.2-RELEASE-x64

 

[Yatti420]

You can select multiple items for DMZ? I don't like the idea of using a DMZ.. I see alot of people are using it as segregation tool? This seems like a massive security oversight despite most people thinking it's protecting them more..

Now if you setup both NICS.. and then configure your jails to use the second adapter can you use the GUI to setup your jails as you like?

 

[ser_rhaegar]

You can select multiple items for DMZ? I don't like the idea of using a DMZ.. I see alot of people are using it as segregation tool? This seems like a massive security oversight despite most people thinking it's protecting them more..

I setup a DMZ for anything publicly accessible. Then firewall rules that allow incoming connections from the internet to specific ports to specific IPs in the DMZ. The DMZ has no access to the internal network or specific pinholes for specific ports/IPs as needed. This puts a buffer between compromised systems and your internal network. In this example the DMZ is at the very least a separate VLAN/subnet but preferably a separate physical connection. Due to the way jails/FreeNAS seem to work (single gateway), I would only use OwnCloud on a separate system in the DMZ though.

Although for my current home network, my DMZ is only for the lab network equipment. Anything production requires a VPN connection but this is mainly because Comcast doesn't like servers showing up on home IPs.

 

[Jelmer]

If the system is hacked because an owncloud security vulnerability (and me not regularly installing patches), the jail system ensures that the attacker can't access the rest of my freenas box. If the attacker can then access my freenas box from the jail trough the network, the jail system didn't do my that much good. To prevent that, I'd like the jail in a different network zone so that one cannot acccess the freenas or other machines from the jailed box using the network. My firewal prevents access from the DMZ to the LAN network.

Back to the jail configuration problem:
If I manually bridge epair0a with vlan1602 (my DMZ interface) , everything works as expected, and I can ping other machines on the local subnet:

Code:

[root@files1] /conf/base# ifconfig bridge0 destroy
[root@files1] /conf/base# ifconfig bridge0 create
[root@files1] /conf/base# ifconfig bridge0 addm epair0a
[root@files1] /conf/base# ifconfig bridge0 addm vlan1602
[root@files1] /conf/base# ifconfig epair0a up
[root@files1] /conf/base# ifconfig vlan1602 up
[root@files1] /conf/base# ifconfig bridge0 up
[root@files1] /conf/base# jailme 6 csh
root@owncloud_1:/ # ifconfig epair0b 172.16.2.32/24
root@owncloud_1:/ # ping 172.16.2.6
PING 172.16.2.6 (172.16.2.6): 56 data bytes
64 bytes from 172.16.2.6: icmp_seq=0 ttl=64 time=0.482 ms
 
[root@files1] /conf/base# jailme 6 csh

The stuff that I did inside the jail can also be done from the gui. But the bridge is always created with the wrong interface. I'm sure that after a reboot, my interface is bridged with vlan1600 (LAN) again. I'm looking for a way to prevent that from happening.

 

[ser_rhaegar]

Unless something has changed recently, your jail is forced to share a gateway with the FreeNAS box. So you cannot put the jail on a different vlan and have it access anything but that vlan as it won't be able to reach its gateway. This was my experience when I attempted this on FreeNAS 9.2.0.

 

[Jelmer]

Seems that there is a feature request for this already:
https://bugs.freenas.org/issues/3909
I don't beleive there is a voting system for feature requests. But I hope to be corrected on that :)