From owner-freebsd-pf@freebsd.org Thu Mar 11 06:38:30 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8067E56B38F for ; Thu, 11 Mar 2021 06:38:30 +0000 (UTC) (envelope-from garbytrash@gmail.com) Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DwzmP3cd7z3v5P for ; Thu, 11 Mar 2021 06:38:29 +0000 (UTC) (envelope-from garbytrash@gmail.com) Received: by mail-il1-x12a.google.com with SMTP id v14so17963938ilj.11 for ; Wed, 10 Mar 2021 22:38:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=F8SFX2HTIi4eBUkxUcOvLJWWz8erG94irWTVFXMfJ2E=; b=kMccAdavmqTJxQXuIwL+W1fh6sgyoMrOcufTLEZgnpi7zQ36kQUyYWt/4mVP+tVN7L 6suKNpsEjGPh6PeRE/6HDJqy7q/pd1utkuPMfLH1qsMFvq+OruNer74VNTVqh7sd8yeH X+4vQKlX51pSkU41LpvdOu0/zUIOKHwyJ6rd/S/CKnEWoKbDjhW78/eYcz11gvVGEp9n QZ1J1w1Eze4ZrEqiZFWKr0IC2fEJs/qmoAEZ6vrJ7AhLGw0TLxm1p95KaG2q2gs6HzlZ LE6gIW2sSTTROy/9UxiNtcHyKTAjtLJxt/ZM9XVmWiyIYZoPgXeeOTVI9cmJGW13cwME O+AA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=F8SFX2HTIi4eBUkxUcOvLJWWz8erG94irWTVFXMfJ2E=; b=WXscMYNGHAGj/9MCUHkwoEnuj8daDluwlwAhZSoq6+F/AHULTBWEa7x/J38PLuPF/F ADqG/NyAhRz+mSbtI5+51uo/KQRpc4eZbopAc1g1S9qfbrP9xyrmQAFSGdXDwHmju3vY F5qB/9/8TtPiAIQRJIUsuGAIDjVltSUAubXTRUgMYc6sze59CjH+aGqeY5tmBAbh6xf3 9t59lRa2oXpp+nnrPN04MVYddn+5YkJWwts/KpC9JcKFyxCEpWt3inVvJKeej8nGDqzj XpBleuUY7j7e1EagrNOQyUPjDPwqOu27ocvLK2k1iyqw6tbT8inPZrt7AxX9aSdLdUJf EJkg== X-Gm-Message-State: AOAM532wRxQT+rCSaUUf3B/v8piererMw9E+NlAxAwNq9b6XaTzus5ri p2ujB5w0C64q8b9RaRtKnDQ+qUipGtxfLkjmI4KsxZhCYGA= X-Google-Smtp-Source: ABdhPJwJKEPljcdms++KRNy76p29+IsdNyysZFsiuANJGUVDcbQOvs7Fu6d73jFAjJ64exUWuAZF176CfAkFQRQ6oRw= X-Received: by 2002:a05:6e02:19c5:: with SMTP id r5mr5344858ill.171.1615444707742; Wed, 10 Mar 2021 22:38:27 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a5d:878f:0:0:0:0:0 with HTTP; Wed, 10 Mar 2021 22:38:27 -0800 (PST) From: Zenny Date: Thu, 11 Mar 2021 07:38:27 +0100 Message-ID: Subject: pf config to isolate two vnet/netgraph VLAN jail groups? To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 4DwzmP3cd7z3v5P X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=kMccAdav; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of garbytrash@gmail.com designates 2607:f8b0:4864:20::12a as permitted sender) smtp.mailfrom=garbytrash@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-0.998]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::12a:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/mixed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::12a:from:127.0.2.255]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::12a:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-pf] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2021 06:38:30 -0000 Hi, Any suggestion to restrict any transaction/interaction/traffic between NATted netgraph vlans (vi0 and vi1) in this case, but not with the bridged external nic ($ext_if in pf) in a setup (digraph) as of below (netdiagram is attached). I appreciate if anyone can suggest some inputs to isolate two netgraph vlans which cannot reach each other, but is accessible to and from the internet via NATted external NIC. I use pf, fyi. Cheers and stay safe! /z digraph "netgraph" { graph [ fontsize = "14" fontname = "Times-Roman" fontcolor = "black" ] node [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" shape = "record" style = "solid" ] edge [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" style = "solid" ] "1" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{em0:|{ether|[1]:}}" shape = "record" style = "solid" ] "c5" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi1_c2:|{eiface|[c5]:}}" shape = "record" style = "solid" ] "86" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi0_v2:|{eiface|[86]:}}" shape = "record" style = "solid" ] "a8" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi1:|{eiface|[a8]:}}" shape = "record" style = "solid" ] "69" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi0:|{eiface|[69]:}}" shape = "record" style = "solid" ] "eb" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{ngctl15171:|{socket|[eb]:}}" shape = "record" style = "solid" ] "ae" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi1br:|{bridge|[ae]:}}" shape = "record" style = "solid" ] "6f" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi0br:|{bridge|[6f]:}}" shape = "record" style = "solid" ] "b3" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi1_c1:|{eiface|[b3]:}}" shape = "record" style = "solid" ] "74" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi0_v1:|{eiface|[74]:}}" shape = "record" style = "solid" ] "d8" [ fontsize = "12" fontname -- Cheers, /z = "Times-Roman" fontcolor = "black" label = "{vi1_c3:|{eiface|[d8]:}}" shape = "record" style = "solid" ] "99" [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" label = "{vi0_v3:|{eiface|[99]:}}" shape = "record" style = "solid" ] { graph [ fontsize = "14" fontname = "Times-Roman" fontcolor = "black" ] node [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" shape = "record" style = "solid" ] edge [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" style = "solid" ] "1" "c5" "86" "a8" "69" "eb" "ae" "6f" "b3" "74" "d8" "99" } subgraph "cluster_disconnected" { graph [ fontsize = "14" fontname = "Times-Roman" fontcolor = "black" bgcolor = "pink" ] node [ fontsize = "12" fontname = "Times-Roman" fontcolor = "black" shape = "record" style = "solid" ] edge [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" style = "solid" ] "1" "eb" } "ae" -> "c5" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "ether" taillabel = "link2" style = "solid" ] "6f" -> "86" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "ether" taillabel = "link2" style = "solid" ] "a8" -> "ae" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" Is there a way to dir = "none" headlabel = "link0" taillabel = "ether" style = "solid" ] "69" -> "6f" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "link0" taillabel = "ether" style = "solid" ] "ae" -> "b3" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "ether" taillabel = "link1" style = "solid" ] "6f" -> "74" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "ether" taillabel = "link1" style = "solid" ] "ae" -> "d8" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "ether" taillabel = "link3" style = "solid" ] "6f" -> "99" [ fontsize = "10" fontname = "Times-Roman" fontcolor = "black" dir = "none" headlabel = "ether" taillabel = "link3" style = "solid" ] } Cheers, and stay safe, /z -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-. CONFIDENTIALITY NOTICE AND DISCLAIMER: Access to this e-mail and its contents by anyone other than the intended recipient is unauthorized as it contains privileged and confidential information, and is subject to legal privilege. Please do not re/distribute it. If you are not the intended recipient (or responsible for delivery of the message to such person), you may not use, copy, distribute or deliver the email and part of its contents to anyone this message (or any part of its contents or take any action in connection to it. In such case, you should destroy this message, and notify the sender immediately. If you have received this email in error, please notify the sender or your sysadmin immediately by e-mail or telephone, and delete the e-mail from any computer. If you or your employer does not consent to internet e-mail messages of this kind, please notify the sender immediately. All reasonable precautions have been taken to ensure no viruses are present in this e-mail and attachments included. As the sender cannot accept responsibility for any loss or damage arising from the use of this e-mail or attachments it is recommended that you are responsible to follow your virus checking procedures prior to use. The views, opinions, conclusions and other informations expressed in this electronic mail are not given or endorsed by any company including the network providers unless otherwise indicated by an authorized representative independent of this message. -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-.