pf and jails

Nejc Škoberne nejc at
Thu Aug 7 16:13:59 UTC 2008


I have a server with multiple jails of different types (service jails, user jails, ...).
In my rc.conf I have (the relevant parts):

# Host
ifconfig_bge0="a.b.c.242 netmask" # Host
ifconfig_bge0_alias0="a.b.c.243 netmask" # Common

# Jails
cloned_interfaces="lo1 lo2"
ifconfig_lo1=" netmask"
ifconfig_lo2=" netmask"
jail_first_interface="bge0 netmask"
jail_second_interface="lo1 netmask"
jail_third_interface="lo2 netmask"

Now I would like to do firewalling between these jails. So that users of the second and the
third jail can't ssh to first jail, for example. I thought this could be done by simply

- block log all
- pass on lo0 all
- [define other pass rules like: pass out on lo1 from ... to ...)

But then I realized that all the traffic which travels between jails themselves and between
jails and the host, is only "visible" on lo0 interface. So I guess this done by design.

So my only option would be blocking all on lo0 and then doing pass rules only on lo0?
I guess this is harder, because I need to observe carefully what needs to be passed
on lo0 in order not to break anything? How do you do it?


More information about the freebsd-pf mailing list