Controlling traffic between jails on the same host
matt at soliddataservices.com
Sat Mar 29 06:50:24 UTC 2014
The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with 3
jails on it. The host, and each jail are assigned a public IP address.
The host runs PF that controls inbound and outbound traffic for itself
and it's jails. All works really nicely. Here's a basic diagram:
PF does a really good job controlling traffic to and from remote system.
I have recently come across the need to limit traffic from jails on the
host to other jails on the same host. I.E. HostA-JailA needs to not be
able to communicate with HostA-JailB. What I am seeing, however, is that
because all these jails share a single interface, the traffic must not
be going through PF as it is just seen as local traffic.
I briefly tried to bring up a jail on another interface (lo1 for
example) and use NAT to provide it with its connectivity, but even then
the local traffic was still not filterable.
There's got to be a way, but my brain hasn't thought of it yet. Any
advice would be amazing, thanks so much ahead of time!
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the freebsd-pf