From owner-freebsd-pf@FreeBSD.ORG Mon Oct 14 00:59:34 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 87C5EAAA for ; Mon, 14 Oct 2013 00:59:34 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from yoshi.bluerosetech.com (yoshi.bluerosetech.com [IPv6:2607:f2f8:a450::66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6F1B02078 for ; Mon, 14 Oct 2013 00:59:34 +0000 (UTC) Received: from chombo.houseloki.net (c-76-27-220-79.hsd1.wa.comcast.net [76.27.220.79]) by yoshi.bluerosetech.com (Postfix) with ESMTPSA id D9075E6079; Sun, 13 Oct 2013 17:59:33 -0700 (PDT) Received: from [IPv6:2601:7:1680:365:e014:714:9e41:4c79] (unknown [IPv6:2601:7:1680:365:e014:714:9e41:4c79]) by chombo.houseloki.net (Postfix) with ESMTPSA id A24D2925; Sun, 13 Oct 2013 17:59:31 -0700 (PDT) Message-ID: <525B41EA.8000501@bluerosetech.com> Date: Sun, 13 Oct 2013 17:59:22 -0700 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0 MIME-Version: 1.0 To: =?UTF-8?B?VXJvxaEgR3J1YmVy?= , freebsd-pf@freebsd.org Subject: Re: PF rule question References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Oct 2013 00:59:34 -0000 On 10/9/2013 3:54 PM, Uroš Gruber wrote: > Hi, > > I'm strugling to complete my pf firewall configuration with a bit more > optimized rules. > > I have a few hudreds jails set up on network from 172.16.1.0 to 172.16.10.0 > > My goal is to deny access between jails, but allow a few exceptions for > example all jails can connect to jails from 172.16.1.0 to 172.16.1.64. > > I've accomplished this with rules like > > pass on lo0 from $jailnet to 172.16.1.0/26 > pass on lo0 from 172.16.1.1 to 172.16.1.1 > > I would like to know if there is a better way to write such rules mostly > because all that jails are very dynamic in terms of > runing,stoping/destroying etc. and also IP aliases are removed and added > back continuously. Use an anchor for the "pass on lo0 from X to X" rules and a table for the jailnet. Then have your jail provisioning scripts manipulate the table and anchor as jails come up and down. In /etc/pf.conf: table persist pass on lo0 from to 172.16.1.0/26 anchor When bringing up a jail: # pfctl -t jailnet -T add 192.0.2.65 # pfctl -a jails -f - <<<"pass on lo0 from 192.0.2.65 to 192.0.2.65" When taking down a jail: # pfctl -t jailnet -T delete 192.0.2.65 # pfctl -a jails -f - <<<"block on lo0 from 192.0.2.65 to 192.0.2.65" # pfctl -k 192.0.2.65 You'll need to reload the table and anchor rules on a system restart. You can do that with rules in /etc/pf.conf: table persist /path/to/jailnet_address_list load anchor jails from /path/to/jails_rules_list or directly using pfctl: # pfctl -t jailnet -Ta -f /path/to/jailnet_address_list # pfctl -a jails -f /path/to/jails_rules_list