Hi, I'm strugling to complete my pf firewall configuration with a bit more optimized rules.
I have a few hudreds jails set up on network from 172.16.1.0 to 172.16.10.0 My goal is to deny access between jails, but allow a few exceptions for example all jails can connect to jails from 172.16.1.0 to 172.16.1.64. I've accomplished this with rules like pass on lo0 from $jailnet to 172.16.1.0/26 pass on lo0 from 172.16.1.1 to 172.16.1.1 pass on lo0 from 172.16.1.2 to 172.16.1.2 pass on lo0 from 172.16.1.3 to 172.16.1.3 pass on lo0 from 172.16.1.4 to 172.16.1.4 ....... ...... pass on lo0 from 172.16.10.252 to 172.16.10.252 pass on lo0 from 172.16.10.253 to 172.16.10.253 pass on lo0 from 172.16.10.254 to 172.16.10.254 So basic idea is allow only trafic from src ip to itself. I would like to know if there is a better way to write such rules mostly because all that jails are very dynamic in terms of runing,stoping/destroying etc. and also IP aliases are removed and added back continuously. Thanks for any help on this. Uros _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
