From owner-freebsd-pf@FreeBSD.ORG Mon Oct 14 20:30:07 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 0A82C1AB for ; Mon, 14 Oct 2013 20:30:07 +0000 (UTC) (envelope-from uros.gruber@gmail.com) Received: from mail-ie0-x230.google.com (mail-ie0-x230.google.com [IPv6:2607:f8b0:4001:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CFB1F2528 for ; Mon, 14 Oct 2013 20:30:06 +0000 (UTC) Received: by mail-ie0-f176.google.com with SMTP id u16so6200908iet.21 for ; Mon, 14 Oct 2013 13:30:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ebYOO2ZDy1FktTYKkKn4uO9mBxZHJLq5b0PTjjKErfM=; b=jhXHD01izGs8M+pTUtZGmup7OzMdXdPo+PsLN0MA+kBvPO/radHazieb4oaa5X3exh 8MtmEmahZtQ19mjwfr3KUwgNggLIY3a8sZvmTQsANZG74Wi7EHNRO+5Dp/4V+w5tP4dn sRG0/S95Pisf6m1VfBPXL9YQLsAa/XrQ8QHH+350FoWGHTB35o3eu3h4C8tr0WbnEZOy QZk+zgua7pPk9bIvcjTxiwbWNh20F8CTuKOpEU110VE8AGvN1hTPCxoli6D5rOLdrme8 AuGVrbsKN6/d8H42qU3VwF/1nh/t/mqdhIOnDOGZdr3xqdR96YuHhejzG1Glq23nNsqL dvyA== MIME-Version: 1.0 X-Received: by 10.50.102.99 with SMTP id fn3mr14457922igb.5.1381782606194; Mon, 14 Oct 2013 13:30:06 -0700 (PDT) Received: by 10.64.19.132 with HTTP; Mon, 14 Oct 2013 13:30:06 -0700 (PDT) In-Reply-To: References: <525B41EA.8000501@bluerosetech.com> Date: Mon, 14 Oct 2013 22:30:06 +0200 Message-ID: Subject: Re: PF rule question From: =?UTF-8?B?VXJvxaEgR3J1YmVy?= To: Darren Pilgrim Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Oct 2013 20:30:07 -0000 Ok, one way of doing it is something like this: ( pfctl -a jails -sr ; echo "pass on lo0 from 192.0.2.65 to 192.0.2.65" ) | pfctl -a jails -f - But still, it's only for add the rule to the anchor. I need to work on something for delete the rule :) Regards Uros On 14 October 2013 22:20, Uro=C5=A1 Gruber wrote: > Hi Darren, > > I thought about anchors and also do some test with them. But the problem > I'm seeing is that I need to get list of all rules for all active jails > when starting or stopping a jail. At least I don't see a way to add or > remove the rule from anchor except to replace all anchor rules. > > Am I missing something here or that was your idea? > > Regards > > Uros > > > On 14 October 2013 02:59, Darren Pilgrim w= rote: > >> On 10/9/2013 3:54 PM, Uro=C5=A1 Gruber wrote: >> >>> Hi, >>> >>> I'm strugling to complete my pf firewall configuration with a bit more >>> optimized rules. >>> >>> I have a few hudreds jails set up on network from 172.16.1.0 to >>> 172.16.10.0 >>> >>> My goal is to deny access between jails, but allow a few exceptions for >>> example all jails can connect to jails from 172.16.1.0 to 172.16.1.64. >>> >>> I've accomplished this with rules like >>> >>> pass on lo0 from $jailnet to 172.16.1.0/26 >>> pass on lo0 from 172.16.1.1 to 172.16.1.1 >>> >>> I would like to know if there is a better way to write such rules mostl= y >>> because all that jails are very dynamic in terms of >>> runing,stoping/destroying etc. and also IP aliases are removed and adde= d >>> back continuously. >>> >> >> Use an anchor for the "pass on lo0 from X to X" rules and a table for th= e >> jailnet. Then have your jail provisioning scripts manipulate the table = and >> anchor as jails come up and down. >> >> In /etc/pf.conf: >> >> table persist >> pass on lo0 from to 172.16.1.0/26 >> anchor >> >> When bringing up a jail: >> >> # pfctl -t jailnet -T add 192.0.2.65 >> # pfctl -a jails -f - <<<"pass on lo0 from 192.0.2.65 to 192.0.2.65" >> >> When taking down a jail: >> >> # pfctl -t jailnet -T delete 192.0.2.65 >> # pfctl -a jails -f - <<<"block on lo0 from 192.0.2.65 to 192.0.2.65" >> # pfctl -k 192.0.2.65 >> >> You'll need to reload the table and anchor rules on a system restart. Yo= u >> can do that with rules in /etc/pf.conf: >> >> table persist /path/to/jailnet_address_list >> load anchor jails from /path/to/jails_rules_list >> >> or directly using pfctl: >> >> # pfctl -t jailnet -Ta -f /path/to/jailnet_address_list >> # pfctl -a jails -f /path/to/jails_rules_list >> > >