Controlling traffic between jails on the same host

[wishmaster]

 --- Original message ---
 From: "Matt Lager" <matt at soliddataservices.com>
 Date: 29 March 2014, 08:50:27
  


> The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with 3 
> jails on it. The host, and each jail are assigned a public IP address. 
> The host runs PF that controls inbound and outbound traffic for itself 
> and it's jails. All works really nicely. Here's a basic diagram:
> 
> PF does a really good job controlling traffic to and from remote system. 
> I have recently come across the need to limit traffic from jails on the 
> host to other jails on the same host. I.E. HostA-JailA needs to not be 
> able to communicate with HostA-JailB. What I am seeing, however, is that 
> because all these jails share a single interface, the traffic must not 
> be going through PF as it is just seen as local traffic.
> 
> I briefly tried to bring up a jail on another interface (lo1 for 
> example) and use NAT to provide it with its connectivity, but even then 
> the local traffic was still not filterable.
> 
> There's got to be a way, but my brain hasn't thought of it yet. Any 
> advice would be amazing, thanks so much ahead of time!
> 
   I had the same problem and have switched to vnet. With vnet you will be able to have internal network and communicate with base host,others jails and world via epair switch.
  In jails you can completely disable pf and do traffic filtering on each epair*a interface.

  But I don't know how pf is stable with virtualized network stack (question to glebius@ ?). I use ipfw.

There is one more important factor. This is traffic shaping and prioritization. If your base host is works as router for LAN and have some services in vneted jails you can easy divide and prioritize Internet link among jailed services and LAN users.

--
Cheers,
Vitaliy