Controlling traffic between jails on the same host

Matt Lager matt at
Sat Mar 29 06:50:24 UTC 2014

The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with 3 
jails on it. The host, and each jail are assigned a public IP address. 
The host runs PF that controls inbound and outbound traffic for itself 
and it's jails. All works really nicely. Here's a basic diagram:

PF does a really good job controlling traffic to and from remote system. 
I have recently come across the need to limit traffic from jails on the 
host to other jails on the same host. I.E. HostA-JailA needs to not be 
able to communicate with HostA-JailB. What I am seeing, however, is that 
because all these jails share a single interface, the traffic must not 
be going through PF as it is just seen as local traffic.

I briefly tried to bring up a jail on another interface (lo1 for 
example) and use NAT to provide it with its connectivity, but even then 
the local traffic was still not filterable.

There's got to be a way, but my brain hasn't thought of it yet. Any 
advice would be amazing, thanks so much ahead of time!


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the freebsd-pf mailing list