From owner-freebsd-pf@FreeBSD.ORG Sat Mar 29 11:22:53 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 155A06D2 for ; Sat, 29 Mar 2014 11:22:53 +0000 (UTC) Received: from frv196.fwdcdn.com (frv196.fwdcdn.com [212.42.77.196]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C371960E for ; Sat, 29 Mar 2014 11:22:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=Yyi9jgZpZwghHWoB//CQSfo2O32gYV3zXMs8B3UBcRU=; b=majQ0A05vnd/7KI3Ojr1U3IFztSyOhdfSH6yxLE6TmcTVGE/i08ChanctZmnYBsMa2Ba+oGijWktAdlWxxM8FosbQ3wHn0XvumQVRzpX/SEHy2i1BwPI7/UfnTkVzWSQRf9v6l08zKfl1z2rL1J34jH/LIbOKH6/2emuNw9/zcU=; Received: from [10.10.10.34] (helo=frv34.fwdcdn.com) by frv196.fwdcdn.com with smtp ID 1WTrLT-000F2b-5c for freebsd-pf@freebsd.org; Sat, 29 Mar 2014 13:22:39 +0200 Date: Sat, 29 Mar 2014 13:22:38 +0200 From: wishmaster Subject: Re: Controlling traffic between jails on the same host To: Matt Lager X-Mailer: mail.ukr.net 5.0 Message-Id: <1396090896.265476232.r0xv69g2@frv34.fwdcdn.com> In-Reply-To: <53366B85.3020002@soliddataservices.com> References: <53366B85.3020002@soliddataservices.com> MIME-Version: 1.0 Received: from artemrts@ukr.net by frv34.fwdcdn.com; Sat, 29 Mar 2014 13:22:38 +0200 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 11:22:53 -0000 --- Original message --- From: "Matt Lager" Date: 29 March 2014, 08:50:27 > The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with 3 > jails on it. The host, and each jail are assigned a public IP address. > The host runs PF that controls inbound and outbound traffic for itself > and it's jails. All works really nicely. Here's a basic diagram: > > PF does a really good job controlling traffic to and from remote system. > I have recently come across the need to limit traffic from jails on the > host to other jails on the same host. I.E. HostA-JailA needs to not be > able to communicate with HostA-JailB. What I am seeing, however, is that > because all these jails share a single interface, the traffic must not > be going through PF as it is just seen as local traffic. > > I briefly tried to bring up a jail on another interface (lo1 for > example) and use NAT to provide it with its connectivity, but even then > the local traffic was still not filterable. > > There's got to be a way, but my brain hasn't thought of it yet. Any > advice would be amazing, thanks so much ahead of time! > I had the same problem and have switched to vnet. With vnet you will be able to have internal network and communicate with base host,others jails and world via epair switch. In jails you can completely disable pf and do traffic filtering on each epair*a interface. But I don't know how pf is stable with virtualized network stack (question to glebius@ ?). I use ipfw. There is one more important factor. This is traffic shaping and prioritization. If your base host is works as router for LAN and have some services in vneted jails you can easy divide and prioritize Internet link among jailed services and LAN users. -- Cheers, Vitaliy