Date: Thu, 07 Aug 2008 18:06:30 +0200 From: =?ISO-8859-2?Q?Nejc_=A9koberne?= <nejc@skoberne.net> To: freebsd-pf@freebsd.org Cc: Mitar <mitar@tnode.com>, Weiss <weiss@druga.org> Subject: pf and jails Message-ID: <489B1D86.3070306@skoberne.net>
next in thread | raw e-mail | index | archive | help
Hello, I have a server with multiple jails of different types (service jails, user jails, ...). In my rc.conf I have (the relevant parts): # Host ifconfig_bge0="a.b.c.242 netmask 255.255.255.240" # Host ifconfig_bge0_alias0="a.b.c.243 netmask 255.255.255.255" # Common defaultrouter="a.b.c.241" # Jails cloned_interfaces="lo1 lo2" ifconfig_lo1="10.1.1.1 netmask 255.255.255.0" ifconfig_lo2="10.1.2.1 netmask 255.255.255.0" jail_first_ip="a.b.c.244" jail_first_interface="bge0 netmask 255.255.255.240" jail_second_ip="10.1.1.13" jail_second_interface="lo1 netmask 255.255.255.0" jail_third_ip="10.1.2.10" jail_third_interface="lo2 netmask 255.255.255.0" Now I would like to do firewalling between these jails. So that users of the second and the third jail can't ssh to first jail, for example. I thought this could be done by simply doing: - block log all - pass on lo0 all - [define other pass rules like: pass out on lo1 from ... to ...) But then I realized that all the traffic which travels between jails themselves and between jails and the host, is only "visible" on lo0 interface. So I guess this done by design. So my only option would be blocking all on lo0 and then doing pass rules only on lo0? I guess this is harder, because I need to observe carefully what needs to be passed on lo0 in order not to break anything? How do you do it? Thanks, Nejc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?489B1D86.3070306>