Date: Sun, 13 Oct 2013 17:59:22 -0700 From: Darren Pilgrim <list_freebsd@bluerosetech.com> To: =?UTF-8?B?VXJvxaEgR3J1YmVy?= <uros.gruber@gmail.com>, freebsd-pf@freebsd.org Subject: Re: PF rule question Message-ID: <525B41EA.8000501@bluerosetech.com> In-Reply-To: <CAHGMo946%2BZmz1tpn1b=PjLTvSfEa9EMRXKypuyTM7X65yhow1w@mail.gmail.com> References: <CAHGMo946%2BZmz1tpn1b=PjLTvSfEa9EMRXKypuyTM7X65yhow1w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/9/2013 3:54 PM, Uro Gruber wrote: > Hi, > > I'm strugling to complete my pf firewall configuration with a bit more > optimized rules. > > I have a few hudreds jails set up on network from 172.16.1.0 to 172.16.10.0 > > My goal is to deny access between jails, but allow a few exceptions for > example all jails can connect to jails from 172.16.1.0 to 172.16.1.64. > > I've accomplished this with rules like > > pass on lo0 from $jailnet to 172.16.1.0/26 > pass on lo0 from 172.16.1.1 to 172.16.1.1 > > I would like to know if there is a better way to write such rules mostly > because all that jails are very dynamic in terms of > runing,stoping/destroying etc. and also IP aliases are removed and added > back continuously. Use an anchor for the "pass on lo0 from X to X" rules and a table for the jailnet. Then have your jail provisioning scripts manipulate the table and anchor as jails come up and down. In /etc/pf.conf: table <jailnet> persist pass on lo0 from <jailnet> to 172.16.1.0/26 anchor <jails> When bringing up a jail: # pfctl -t jailnet -T add 192.0.2.65 # pfctl -a jails -f - <<<"pass on lo0 from 192.0.2.65 to 192.0.2.65" When taking down a jail: # pfctl -t jailnet -T delete 192.0.2.65 # pfctl -a jails -f - <<<"block on lo0 from 192.0.2.65 to 192.0.2.65" # pfctl -k 192.0.2.65 You'll need to reload the table and anchor rules on a system restart. You can do that with rules in /etc/pf.conf: table <jailnet> persist /path/to/jailnet_address_list load anchor jails from /path/to/jails_rules_list or directly using pfctl: # pfctl -t jailnet -Ta -f /path/to/jailnet_address_list # pfctl -a jails -f /path/to/jails_rules_list
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?525B41EA.8000501>