From owner-freebsd-pf@FreeBSD.ORG Sat Mar 29 06:50:23 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E5B57F50 for ; Sat, 29 Mar 2014 06:50:23 +0000 (UTC) Received: from mx1.rpsol.net (mx1.rpsol.net [74.206.97.74]) by mx1.freebsd.org (Postfix) with ESMTP id CB030D09 for ; Sat, 29 Mar 2014 06:50:23 +0000 (UTC) Received: from [172.16.1.100] (wsip-72-215-202-18.ph.ph.cox.net [72.215.202.18]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.rpsol.net (Postfix) with ESMTPSA id 1044CFFE268 for ; Fri, 28 Mar 2014 23:41:13 -0700 (MST) Message-ID: <53366B85.3020002@soliddataservices.com> Date: Fri, 28 Mar 2014 23:43:17 -0700 From: Matt Lager User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Controlling traffic between jails on the same host Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-RPS-MailScanner-Information: Please contact the ISP for more information X-RPS-MailScanner-ID: 1044CFFE268.AF1BD X-RPS-MailScanner: Found to be clean X-RPS-MailScanner-From: matt@soliddataservices.com X-Spam-Status: No X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 06:50:24 -0000 The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with 3 jails on it. The host, and each jail are assigned a public IP address. The host runs PF that controls inbound and outbound traffic for itself and it's jails. All works really nicely. Here's a basic diagram: PF does a really good job controlling traffic to and from remote system. I have recently come across the need to limit traffic from jails on the host to other jails on the same host. I.E. HostA-JailA needs to not be able to communicate with HostA-JailB. What I am seeing, however, is that because all these jails share a single interface, the traffic must not be going through PF as it is just seen as local traffic. I briefly tried to bring up a jail on another interface (lo1 for example) and use NAT to provide it with its connectivity, but even then the local traffic was still not filterable. There's got to be a way, but my brain hasn't thought of it yet. Any advice would be amazing, thanks so much ahead of time! --Matt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.