From owner-freebsd-pf@FreeBSD.ORG Sat Mar 29 09:31:26 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2EA563A9 for ; Sat, 29 Mar 2014 09:31:26 +0000 (UTC) Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AAB01B38 for ; Sat, 29 Mar 2014 09:31:25 +0000 (UTC) Received: by mail-la0-f47.google.com with SMTP id pn19so191020lab.6 for ; Sat, 29 Mar 2014 02:31:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=VNw5nw/xPoFNr8bFRv5Azj6ZZq3WtnTksulYYBFauS4=; b=O6jOzBYt1kSBxdluWxT7m/A8QUnim6kgOHwgxHkD5bVgNed5nGtMtngZwuKpIEbzf/ 25e84pe5o+5XehtVVnaOruADreT0tFDHGUScZ6ey6BVlcdfsiEZi6RWiA6Z1CphjMl5j kwJQco1IXdqIiylbqmuMM+uEpDWjr7KQxnbQ0QyT+JPauxfXujzeQ3O718vcIiXf8C5r HdLdfrf70aMnXeAyp+JORGNZOS65UIf4pKcIIfz4607ZVRmJ4tZ84G5cUZUKojMI/Wt5 pEalpk/xPVfOqvBSyJjN+36/477gxmAYtSPzlGhg3nPA1cMY2UgEhlFHGat/L61SUXun 4ekg== X-Received: by 10.152.120.195 with SMTP id le3mr9602332lab.6.1396085483055; Sat, 29 Mar 2014 02:31:23 -0700 (PDT) Received: from ?IPv6:2001:16d8:eed3:beef:69da:ccc3:5d02:7d9c? ([2001:16d8:eed3:beef:69da:ccc3:5d02:7d9c]) by mx.google.com with ESMTPSA id d4sm5465042lbr.27.2014.03.29.02.31.21 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 29 Mar 2014 02:31:22 -0700 (PDT) Message-ID: <533692E0.6000104@gmail.com> Date: Sat, 29 Mar 2014 10:31:12 +0100 From: Mikal Sande User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: Controlling traffic between jails on the same host References: <53366B85.3020002@soliddataservices.com> In-Reply-To: <53366B85.3020002@soliddataservices.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 09:31:26 -0000 On 03/29/2014 07:43 AM, Matt Lager wrote: > The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with > 3 jails on it. The host, and each jail are assigned a public IP > address. The host runs PF that controls inbound and outbound traffic > for itself and it's jails. All works really nicely. Here's a basic > diagram: > > PF does a really good job controlling traffic to and from remote > system. I have recently come across the need to limit traffic from > jails on the host to other jails on the same host. I.E. HostA-JailA > needs to not be able to communicate with HostA-JailB. What I am > seeing, however, is that because all these jails share a single > interface, the traffic must not be going through PF as it is just seen > as local traffic. > > I briefly tried to bring up a jail on another interface (lo1 for > example) and use NAT to provide it with its connectivity, but even > then the local traffic was still not filterable. > > There's got to be a way, but my brain hasn't thought of it yet. Any > advice would be amazing, thanks so much ahead of time! > > --Matt > Do you have rules that allow all traffic on loopback, or do you have 'set skip on lo0' or something in your pf.conf? I had the latter set last time I tried to limit traffic between jails, it took me a little time to realize it.