PF rule question
Uroš Gruber
uros.gruber at gmail.com
Wed Oct 9 22:54:31 UTC 2013
Hi,
I'm strugling to complete my pf firewall configuration with a bit more
optimized rules.
I have a few hudreds jails set up on network from 172.16.1.0 to 172.16.10.0
My goal is to deny access between jails, but allow a few exceptions for
example all jails can connect to jails from 172.16.1.0 to 172.16.1.64.
I've accomplished this with rules like
pass on lo0 from $jailnet to 172.16.1.0/26
pass on lo0 from 172.16.1.1 to 172.16.1.1
pass on lo0 from 172.16.1.2 to 172.16.1.2
pass on lo0 from 172.16.1.3 to 172.16.1.3
pass on lo0 from 172.16.1.4 to 172.16.1.4
.......
......
pass on lo0 from 172.16.10.252 to 172.16.10.252
pass on lo0 from 172.16.10.253 to 172.16.10.253
pass on lo0 from 172.16.10.254 to 172.16.10.254
So basic idea is allow only trafic from src ip to itself.
I would like to know if there is a better way to write such rules mostly
because all that jails are very dynamic in terms of
runing,stoping/destroying etc. and also IP aliases are removed and added
back continuously.
Thanks for any help on this.
Uros
More information about the freebsd-pf
mailing list