pf and jails

Nejc Škoberne nejc at skoberne.net
Thu Aug 7 16:13:59 UTC 2008


Hello,

I have a server with multiple jails of different types (service jails, user jails, ...).
In my rc.conf I have (the relevant parts):

# Host
ifconfig_bge0="a.b.c.242 netmask 255.255.255.240" # Host
ifconfig_bge0_alias0="a.b.c.243 netmask 255.255.255.255" # Common
defaultrouter="a.b.c.241"

# Jails
cloned_interfaces="lo1 lo2"
ifconfig_lo1="10.1.1.1 netmask 255.255.255.0"
ifconfig_lo2="10.1.2.1 netmask 255.255.255.0"
jail_first_ip="a.b.c.244"
jail_first_interface="bge0 netmask 255.255.255.240"
jail_second_ip="10.1.1.13"
jail_second_interface="lo1 netmask 255.255.255.0"
jail_third_ip="10.1.2.10"
jail_third_interface="lo2 netmask 255.255.255.0"

Now I would like to do firewalling between these jails. So that users of the second and the
third jail can't ssh to first jail, for example. I thought this could be done by simply
doing:

- block log all
- pass on lo0 all
- [define other pass rules like: pass out on lo1 from ... to ...)

But then I realized that all the traffic which travels between jails themselves and between
jails and the host, is only "visible" on lo0 interface. So I guess this done by design.

So my only option would be blocking all on lo0 and then doing pass rules only on lo0?
I guess this is harder, because I need to observe carefully what needs to be passed
on lo0 in order not to break anything? How do you do it?

Thanks,
Nejc


More information about the freebsd-pf mailing list