Date: Sat, 29 Mar 2014 10:31:12 +0100 From: Mikal Sande <mikal.sande@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: Controlling traffic between jails on the same host Message-ID: <533692E0.6000104@gmail.com> In-Reply-To: <53366B85.3020002@soliddataservices.com> References: <53366B85.3020002@soliddataservices.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/29/2014 07:43 AM, Matt Lager wrote: > The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with > 3 jails on it. The host, and each jail are assigned a public IP > address. The host runs PF that controls inbound and outbound traffic > for itself and it's jails. All works really nicely. Here's a basic > diagram: > > PF does a really good job controlling traffic to and from remote > system. I have recently come across the need to limit traffic from > jails on the host to other jails on the same host. I.E. HostA-JailA > needs to not be able to communicate with HostA-JailB. What I am > seeing, however, is that because all these jails share a single > interface, the traffic must not be going through PF as it is just seen > as local traffic. > > I briefly tried to bring up a jail on another interface (lo1 for > example) and use NAT to provide it with its connectivity, but even > then the local traffic was still not filterable. > > There's got to be a way, but my brain hasn't thought of it yet. Any > advice would be amazing, thanks so much ahead of time! > > --Matt > Do you have rules that allow all traffic on loopback, or do you have 'set skip on lo0' or something in your pf.conf? I had the latter set last time I tried to limit traffic between jails, it took me a little time to realize it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?533692E0.6000104>