would this work ? block in on lo0 from lo0 to lo0 block out on lo0 from lo0 to lo0
On Sun, Oct 13, 2013 at 6:59 PM, Darren Pilgrim < list_free...@bluerosetech.com> wrote: > On 10/9/2013 3:54 PM, Uroš Gruber wrote: > >> Hi, >> >> I'm strugling to complete my pf firewall configuration with a bit more >> optimized rules. >> >> I have a few hudreds jails set up on network from 172.16.1.0 to >> 172.16.10.0 >> >> My goal is to deny access between jails, but allow a few exceptions for >> example all jails can connect to jails from 172.16.1.0 to 172.16.1.64. >> >> I've accomplished this with rules like >> >> pass on lo0 from $jailnet to 172.16.1.0/26 >> pass on lo0 from 172.16.1.1 to 172.16.1.1 >> >> I would like to know if there is a better way to write such rules mostly >> because all that jails are very dynamic in terms of >> runing,stoping/destroying etc. and also IP aliases are removed and added >> back continuously. >> > > Use an anchor for the "pass on lo0 from X to X" rules and a table for the > jailnet. Then have your jail provisioning scripts manipulate the table and > anchor as jails come up and down. > > In /etc/pf.conf: > > table <jailnet> persist > pass on lo0 from <jailnet> to 172.16.1.0/26 > anchor <jails> > > When bringing up a jail: > > # pfctl -t jailnet -T add 192.0.2.65 > # pfctl -a jails -f - <<<"pass on lo0 from 192.0.2.65 to 192.0.2.65" > > When taking down a jail: > > # pfctl -t jailnet -T delete 192.0.2.65 > # pfctl -a jails -f - <<<"block on lo0 from 192.0.2.65 to 192.0.2.65" > # pfctl -k 192.0.2.65 > > You'll need to reload the table and anchor rules on a system restart. You > can do that with rules in /etc/pf.conf: > > table <jailnet> persist /path/to/jailnet_address_list > load anchor jails from /path/to/jails_rules_list > > or directly using pfctl: > > # pfctl -t jailnet -Ta -f /path/to/jailnet_address_list > # pfctl -a jails -f /path/to/jails_rules_list > > ______________________________**_________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-pf<http://lists.freebsd.org/mailman/listinfo/freebsd-pf> > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@**freebsd.org<freebsd-pf-unsubscr...@freebsd.org> > " > -- Rob Fraser r...@logicalhosting.ca www.logicalhosting.ca _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
