Date: Sat, 29 Mar 2014 12:19:10 -0700 From: Matt Lager <matt@soliddataservices.com> To: freebsd-pf@freebsd.org Subject: Re: Controlling traffic between jails on the same host Message-ID: <53371CAE.2090804@soliddataservices.com> In-Reply-To: <53370BE0.20806@soliddataservices.com> References: <53366B85.3020002@soliddataservices.com> <533692E0.6000104@gmail.com> <53370BE0.20806@soliddataservices.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Any particular reason pfctl -f /etc/pf.conf takes about a minute to reload when I remove "set skip on { lo0 }"? It eventually reloads, but can't figure out what it's trying to do, I haven't even put any rules in yet. On 3/29/2014 11:07 AM, Matt Lager wrote: > That was it, lo0 was the answer and I had set skip on lo0. For some > reason, that's in every freaking pf.conf example out there so I never > gave it a second thought. Thanks :) > > On 3/29/2014 2:31 AM, Mikal Sande wrote: >> On 03/29/2014 07:43 AM, Matt Lager wrote: >>> The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host >>> with 3 jails on it. The host, and each jail are assigned a public IP >>> address. The host runs PF that controls inbound and outbound traffic >>> for itself and it's jails. All works really nicely. Here's a basic >>> diagram: >>> >>> PF does a really good job controlling traffic to and from remote >>> system. I have recently come across the need to limit traffic from >>> jails on the host to other jails on the same host. I.E. HostA-JailA >>> needs to not be able to communicate with HostA-JailB. What I am >>> seeing, however, is that because all these jails share a single >>> interface, the traffic must not be going through PF as it is just >>> seen as local traffic. >>> >>> I briefly tried to bring up a jail on another interface (lo1 for >>> example) and use NAT to provide it with its connectivity, but even >>> then the local traffic was still not filterable. >>> >>> There's got to be a way, but my brain hasn't thought of it yet. Any >>> advice would be amazing, thanks so much ahead of time! >>> >>> --Matt >>> >> Do you have rules that allow all traffic on loopback, or do you have >> 'set skip on lo0' or something in your pf.conf? I had the latter set >> last time I tried to limit traffic between jails, it took me a little >> time to realize it. >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > -- Solid Data Services <http://www.soliddataservices.com> Matt Lager / President *Office:* 480-351-5122 *Mobile:* 501-269-8606 www.SolidDataServices.com <http://www.soliddataservices.com> This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Solid Data Services is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53371CAE.2090804>