Hi Darren, I thought about anchors and also do some test with them. But the problem I'm seeing is that I need to get list of all rules for all active jails when starting or stopping a jail. At least I don't see a way to add or remove the rule from anchor except to replace all anchor rules.
Am I missing something here or that was your idea? Regards Uros On 14 October 2013 02:59, Darren Pilgrim <list_free...@bluerosetech.com>wrote: > On 10/9/2013 3:54 PM, Uroš Gruber wrote: > >> Hi, >> >> I'm strugling to complete my pf firewall configuration with a bit more >> optimized rules. >> >> I have a few hudreds jails set up on network from 172.16.1.0 to >> 172.16.10.0 >> >> My goal is to deny access between jails, but allow a few exceptions for >> example all jails can connect to jails from 172.16.1.0 to 172.16.1.64. >> >> I've accomplished this with rules like >> >> pass on lo0 from $jailnet to 172.16.1.0/26 >> pass on lo0 from 172.16.1.1 to 172.16.1.1 >> >> I would like to know if there is a better way to write such rules mostly >> because all that jails are very dynamic in terms of >> runing,stoping/destroying etc. and also IP aliases are removed and added >> back continuously. >> > > Use an anchor for the "pass on lo0 from X to X" rules and a table for the > jailnet. Then have your jail provisioning scripts manipulate the table and > anchor as jails come up and down. > > In /etc/pf.conf: > > table <jailnet> persist > pass on lo0 from <jailnet> to 172.16.1.0/26 > anchor <jails> > > When bringing up a jail: > > # pfctl -t jailnet -T add 192.0.2.65 > # pfctl -a jails -f - <<<"pass on lo0 from 192.0.2.65 to 192.0.2.65" > > When taking down a jail: > > # pfctl -t jailnet -T delete 192.0.2.65 > # pfctl -a jails -f - <<<"block on lo0 from 192.0.2.65 to 192.0.2.65" > # pfctl -k 192.0.2.65 > > You'll need to reload the table and anchor rules on a system restart. You > can do that with rules in /etc/pf.conf: > > table <jailnet> persist /path/to/jailnet_address_list > load anchor jails from /path/to/jails_rules_list > > or directly using pfctl: > > # pfctl -t jailnet -Ta -f /path/to/jailnet_address_list > # pfctl -a jails -f /path/to/jails_rules_list > _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
