Controlling traffic between jails on the same host
Mikal Sande
mikal.sande at gmail.com
Sat Mar 29 09:31:26 UTC 2014
On 03/29/2014 07:43 AM, Matt Lager wrote:
> The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with
> 3 jails on it. The host, and each jail are assigned a public IP
> address. The host runs PF that controls inbound and outbound traffic
> for itself and it's jails. All works really nicely. Here's a basic
> diagram:
>
> PF does a really good job controlling traffic to and from remote
> system. I have recently come across the need to limit traffic from
> jails on the host to other jails on the same host. I.E. HostA-JailA
> needs to not be able to communicate with HostA-JailB. What I am
> seeing, however, is that because all these jails share a single
> interface, the traffic must not be going through PF as it is just seen
> as local traffic.
>
> I briefly tried to bring up a jail on another interface (lo1 for
> example) and use NAT to provide it with its connectivity, but even
> then the local traffic was still not filterable.
>
> There's got to be a way, but my brain hasn't thought of it yet. Any
> advice would be amazing, thanks so much ahead of time!
>
> --Matt
>
Do you have rules that allow all traffic on loopback, or do you have
'set skip on lo0' or something in your pf.conf? I had the latter set
last time I tried to limit traffic between jails, it took me a little
time to realize it.
More information about the freebsd-pf
mailing list