From owner-freebsd-pf@FreeBSD.ORG Thu Aug 7 16:13:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 606A41065679 for ; Thu, 7 Aug 2008 16:13:59 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from delusion.skoberne.net (lk.84.20.249.154.dc.cable.static.lj-kabel.net [84.20.249.154]) by mx1.freebsd.org (Postfix) with ESMTP id 17B948FC15 for ; Thu, 7 Aug 2008 16:13:58 +0000 (UTC) (envelope-from nejc@skoberne.net) Received: from localhost (localhost [127.0.0.1]) by delusion.skoberne.net (Postfix) with ESMTP id EF4E82283B; Thu, 7 Aug 2008 18:06:33 +0200 (CEST) Received: from delusion.skoberne.net ([127.0.0.1]) by localhost (delusion.skoberne.net [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 49182-06; Thu, 7 Aug 2008 18:06:31 +0200 (CEST) Received: from [192.168.15.2] (simian.skoberne.local [192.168.15.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nejkopejko@skoberne.net) by delusion.skoberne.net (Postfix) with ESMTP id E9DF122829; Thu, 7 Aug 2008 18:06:30 +0200 (CEST) Message-ID: <489B1D86.3070306@skoberne.net> Date: Thu, 07 Aug 2008 18:06:30 +0200 From: =?ISO-8859-2?Q?Nejc_=A9koberne?= User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard Cc: Mitar , Weiss Subject: pf and jails X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2008 16:13:59 -0000 Hello, I have a server with multiple jails of different types (service jails, user jails, ...). In my rc.conf I have (the relevant parts): # Host ifconfig_bge0="a.b.c.242 netmask 255.255.255.240" # Host ifconfig_bge0_alias0="a.b.c.243 netmask 255.255.255.255" # Common defaultrouter="a.b.c.241" # Jails cloned_interfaces="lo1 lo2" ifconfig_lo1="10.1.1.1 netmask 255.255.255.0" ifconfig_lo2="10.1.2.1 netmask 255.255.255.0" jail_first_ip="a.b.c.244" jail_first_interface="bge0 netmask 255.255.255.240" jail_second_ip="10.1.1.13" jail_second_interface="lo1 netmask 255.255.255.0" jail_third_ip="10.1.2.10" jail_third_interface="lo2 netmask 255.255.255.0" Now I would like to do firewalling between these jails. So that users of the second and the third jail can't ssh to first jail, for example. I thought this could be done by simply doing: - block log all - pass on lo0 all - [define other pass rules like: pass out on lo1 from ... to ...) But then I realized that all the traffic which travels between jails themselves and between jails and the host, is only "visible" on lo0 interface. So I guess this done by design. So my only option would be blocking all on lo0 and then doing pass rules only on lo0? I guess this is harder, because I need to observe carefully what needs to be passed on lo0 in order not to break anything? How do you do it? Thanks, Nejc