pf and jails
nejc at skoberne.net
Thu Aug 7 16:13:59 UTC 2008
I have a server with multiple jails of different types (service jails, user jails, ...).
In my rc.conf I have (the relevant parts):
ifconfig_bge0="a.b.c.242 netmask 255.255.255.240" # Host
ifconfig_bge0_alias0="a.b.c.243 netmask 255.255.255.255" # Common
ifconfig_lo1="10.1.1.1 netmask 255.255.255.0"
ifconfig_lo2="10.1.2.1 netmask 255.255.255.0"
jail_first_interface="bge0 netmask 255.255.255.240"
jail_second_interface="lo1 netmask 255.255.255.0"
jail_third_interface="lo2 netmask 255.255.255.0"
Now I would like to do firewalling between these jails. So that users of the second and the
third jail can't ssh to first jail, for example. I thought this could be done by simply
- block log all
- pass on lo0 all
- [define other pass rules like: pass out on lo1 from ... to ...)
But then I realized that all the traffic which travels between jails themselves and between
jails and the host, is only "visible" on lo0 interface. So I guess this done by design.
So my only option would be blocking all on lo0 and then doing pass rules only on lo0?
I guess this is harder, because I need to observe carefully what needs to be passed
on lo0 in order not to break anything? How do you do it?
More information about the freebsd-pf