Controlling traffic between jails on the same host

Matt Lager matt at soliddataservices.com
Sat Mar 29 18:05:35 UTC 2014


That was it, lo0 was the answer and I had set skip on lo0. For some 
reason, that's in every freaking pf.conf example out there so I never 
gave it a second thought. Thanks :)

On 3/29/2014 2:31 AM, Mikal Sande wrote:
> On 03/29/2014 07:43 AM, Matt Lager wrote:
>> The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with 
>> 3 jails on it. The host, and each jail are assigned a public IP 
>> address. The host runs PF that controls inbound and outbound traffic 
>> for itself and it's jails. All works really nicely. Here's a basic 
>> diagram:
>>
>> PF does a really good job controlling traffic to and from remote 
>> system. I have recently come across the need to limit traffic from 
>> jails on the host to other jails on the same host. I.E. HostA-JailA 
>> needs to not be able to communicate with HostA-JailB. What I am 
>> seeing, however, is that because all these jails share a single 
>> interface, the traffic must not be going through PF as it is just 
>> seen as local traffic.
>>
>> I briefly tried to bring up a jail on another interface (lo1 for 
>> example) and use NAT to provide it with its connectivity, but even 
>> then the local traffic was still not filterable.
>>
>> There's got to be a way, but my brain hasn't thought of it yet. Any 
>> advice would be amazing, thanks so much ahead of time!
>>
>> --Matt
>>
> Do you have rules that allow all traffic on loopback, or do you have 
> 'set skip on lo0' or something in your pf.conf? I had the latter set 
> last time I tried to limit traffic between jails, it took me a little 
> time to realize it.
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

-- 

Solid Data Services <http://www.soliddataservices.com>

Matt Lager / President
*Office:* 480-351-5122
*Mobile:* 501-269-8606
www.SolidDataServices.com <http://www.soliddataservices.com>

This e-mail message may contain confidential or legally privileged 
information and is intended only for the use of the intended 
recipient(s). Any unauthorized disclosure, dissemination, distribution, 
copying or the taking of any action in reliance on the information 
herein is prohibited. E-mails are not secure and cannot be guaranteed to 
be error free as they can be intercepted, amended, or contain viruses. 
Anyone who communicates with us by e-mail is deemed to have accepted 
these risks. Solid Data Services is not responsible for errors or 
omissions in this message and denies any responsibility for any damage 
arising from the use of e-mail. Any opinion and other statement 
contained in this message and any attachment are solely those of the 
author and do not necessarily represent those of the company.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the freebsd-pf mailing list