From owner-freebsd-pf@FreeBSD.ORG Sat Mar 29 18:05:35 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0C2CA7D4 for ; Sat, 29 Mar 2014 18:05:35 +0000 (UTC) Received: from mx1.rpsol.net (mx1.rpsol.net [74.206.97.74]) by mx1.freebsd.org (Postfix) with ESMTP id DCB65C36 for ; Sat, 29 Mar 2014 18:05:34 +0000 (UTC) Received: from [172.16.1.100] (wsip-72-215-202-18.ph.ph.cox.net [72.215.202.18]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.rpsol.net (Postfix) with ESMTPSA id 35D2DFFE035 for ; Sat, 29 Mar 2014 11:05:24 -0700 (MST) Message-ID: <53370BE0.20806@soliddataservices.com> Date: Sat, 29 Mar 2014 11:07:28 -0700 From: Matt Lager User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: Controlling traffic between jails on the same host References: <53366B85.3020002@soliddataservices.com> <533692E0.6000104@gmail.com> In-Reply-To: <533692E0.6000104@gmail.com> X-RPS-MailScanner-Information: Please contact the ISP for more information X-RPS-MailScanner-ID: 35D2DFFE035.AD8C0 X-RPS-MailScanner: Found to be clean X-RPS-MailScanner-From: matt@soliddataservices.com X-Spam-Status: No Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 18:05:35 -0000 That was it, lo0 was the answer and I had set skip on lo0. For some reason, that's in every freaking pf.conf example out there so I never gave it a second thought. Thanks :) On 3/29/2014 2:31 AM, Mikal Sande wrote: > On 03/29/2014 07:43 AM, Matt Lager wrote: >> The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with >> 3 jails on it. The host, and each jail are assigned a public IP >> address. The host runs PF that controls inbound and outbound traffic >> for itself and it's jails. All works really nicely. Here's a basic >> diagram: >> >> PF does a really good job controlling traffic to and from remote >> system. I have recently come across the need to limit traffic from >> jails on the host to other jails on the same host. I.E. HostA-JailA >> needs to not be able to communicate with HostA-JailB. What I am >> seeing, however, is that because all these jails share a single >> interface, the traffic must not be going through PF as it is just >> seen as local traffic. >> >> I briefly tried to bring up a jail on another interface (lo1 for >> example) and use NAT to provide it with its connectivity, but even >> then the local traffic was still not filterable. >> >> There's got to be a way, but my brain hasn't thought of it yet. Any >> advice would be amazing, thanks so much ahead of time! >> >> --Matt >> > Do you have rules that allow all traffic on loopback, or do you have > 'set skip on lo0' or something in your pf.conf? I had the latter set > last time I tried to limit traffic between jails, it took me a little > time to realize it. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Solid Data Services Matt Lager / President *Office:* 480-351-5122 *Mobile:* 501-269-8606 www.SolidDataServices.com This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Solid Data Services is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.