Date: Sun, 13 Oct 2013 19:02:47 -0600 From: Rob Fraser <rob@logicalhosting.ca> To: Darren Pilgrim <list_freebsd@bluerosetech.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF rule question Message-ID: <CAN2gSVbwmw-wdJPRYMpkxSNKeEDqVmWUn6ed=6ij5PmEY1Acjw@mail.gmail.com> In-Reply-To: <525B41EA.8000501@bluerosetech.com> References: <CAHGMo946%2BZmz1tpn1b=PjLTvSfEa9EMRXKypuyTM7X65yhow1w@mail.gmail.com> <525B41EA.8000501@bluerosetech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
would this work ? block in on lo0 from lo0 to lo0 block out on lo0 from lo0 to lo0 On Sun, Oct 13, 2013 at 6:59 PM, Darren Pilgrim < list_freebsd@bluerosetech.com> wrote: > On 10/9/2013 3:54 PM, Uro=C5=A1 Gruber wrote: > >> Hi, >> >> I'm strugling to complete my pf firewall configuration with a bit more >> optimized rules. >> >> I have a few hudreds jails set up on network from 172.16.1.0 to >> 172.16.10.0 >> >> My goal is to deny access between jails, but allow a few exceptions for >> example all jails can connect to jails from 172.16.1.0 to 172.16.1.64. >> >> I've accomplished this with rules like >> >> pass on lo0 from $jailnet to 172.16.1.0/26 >> pass on lo0 from 172.16.1.1 to 172.16.1.1 >> >> I would like to know if there is a better way to write such rules mostly >> because all that jails are very dynamic in terms of >> runing,stoping/destroying etc. and also IP aliases are removed and added >> back continuously. >> > > Use an anchor for the "pass on lo0 from X to X" rules and a table for the > jailnet. Then have your jail provisioning scripts manipulate the table a= nd > anchor as jails come up and down. > > In /etc/pf.conf: > > table <jailnet> persist > pass on lo0 from <jailnet> to 172.16.1.0/26 > anchor <jails> > > When bringing up a jail: > > # pfctl -t jailnet -T add 192.0.2.65 > # pfctl -a jails -f - <<<"pass on lo0 from 192.0.2.65 to 192.0.2.65" > > When taking down a jail: > > # pfctl -t jailnet -T delete 192.0.2.65 > # pfctl -a jails -f - <<<"block on lo0 from 192.0.2.65 to 192.0.2.65" > # pfctl -k 192.0.2.65 > > You'll need to reload the table and anchor rules on a system restart. You > can do that with rules in /etc/pf.conf: > > table <jailnet> persist /path/to/jailnet_address_list > load anchor jails from /path/to/jails_rules_list > > or directly using pfctl: > > # pfctl -t jailnet -Ta -f /path/to/jailnet_address_list > # pfctl -a jails -f /path/to/jails_rules_list > > ______________________________**_________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-pf<http://lists.freeb= sd.org/mailman/listinfo/freebsd-pf> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org<fr= eebsd-pf-unsubscribe@freebsd.org> > " > --=20 Rob Fraser rob@logicalhosting.ca www.logicalhosting.ca
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN2gSVbwmw-wdJPRYMpkxSNKeEDqVmWUn6ed=6ij5PmEY1Acjw>