Date: Thu, 10 Oct 2013 00:54:27 +0200 From: =?UTF-8?B?VXJvxaEgR3J1YmVy?= <uros.gruber@gmail.com> To: freebsd-pf@freebsd.org Subject: PF rule question Message-ID: <CAHGMo946%2BZmz1tpn1b=PjLTvSfEa9EMRXKypuyTM7X65yhow1w@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, I'm strugling to complete my pf firewall configuration with a bit more optimized rules. I have a few hudreds jails set up on network from 172.16.1.0 to 172.16.10.0 My goal is to deny access between jails, but allow a few exceptions for example all jails can connect to jails from 172.16.1.0 to 172.16.1.64. I've accomplished this with rules like pass on lo0 from $jailnet to 172.16.1.0/26 pass on lo0 from 172.16.1.1 to 172.16.1.1 pass on lo0 from 172.16.1.2 to 172.16.1.2 pass on lo0 from 172.16.1.3 to 172.16.1.3 pass on lo0 from 172.16.1.4 to 172.16.1.4 ....... ...... pass on lo0 from 172.16.10.252 to 172.16.10.252 pass on lo0 from 172.16.10.253 to 172.16.10.253 pass on lo0 from 172.16.10.254 to 172.16.10.254 So basic idea is allow only trafic from src ip to itself. I would like to know if there is a better way to write such rules mostly because all that jails are very dynamic in terms of runing,stoping/destroying etc. and also IP aliases are removed and added back continuously. Thanks for any help on this. Uros
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHGMo946%2BZmz1tpn1b=PjLTvSfEa9EMRXKypuyTM7X65yhow1w>