Any particular reason pfctl -f /etc/pf.conf takes about a minute to
reload when I remove "set skip on { lo0 }"? It eventually reloads, but
can't figure out what it's trying to do, I haven't even put any rules in
yet.
On 3/29/2014 11:07 AM, Matt Lager wrote:
That was it, lo0 was the answer and I had set skip on lo0. For some
reason, that's in every freaking pf.conf example out there so I never
gave it a second thought. Thanks :)
On 3/29/2014 2:31 AM, Mikal Sande wrote:
On 03/29/2014 07:43 AM, Matt Lager wrote:
The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host
with 3 jails on it. The host, and each jail are assigned a public IP
address. The host runs PF that controls inbound and outbound traffic
for itself and it's jails. All works really nicely. Here's a basic
diagram:
PF does a really good job controlling traffic to and from remote
system. I have recently come across the need to limit traffic from
jails on the host to other jails on the same host. I.E. HostA-JailA
needs to not be able to communicate with HostA-JailB. What I am
seeing, however, is that because all these jails share a single
interface, the traffic must not be going through PF as it is just
seen as local traffic.
I briefly tried to bring up a jail on another interface (lo1 for
example) and use NAT to provide it with its connectivity, but even
then the local traffic was still not filterable.
There's got to be a way, but my brain hasn't thought of it yet. Any
advice would be amazing, thanks so much ahead of time!
--Matt
Do you have rules that allow all traffic on loopback, or do you have
'set skip on lo0' or something in your pf.conf? I had the latter set
last time I tried to limit traffic between jails, it took me a little
time to realize it.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
--
Solid Data Services <http://www.soliddataservices.com>
Matt Lager / President
*Office:* 480-351-5122
*Mobile:* 501-269-8606
www.SolidDataServices.com <http://www.soliddataservices.com>
This e-mail message may contain confidential or legally privileged
information and is intended only for the use of the intended
recipient(s). Any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is prohibited. E-mails are not secure and cannot be guaranteed to
be error free as they can be intercepted, amended, or contain viruses.
Anyone who communicates with us by e-mail is deemed to have accepted
these risks. Solid Data Services is not responsible for errors or
omissions in this message and denies any responsibility for any damage
arising from the use of e-mail. Any opinion and other statement
contained in this message and any attachment are solely those of the
author and do not necessarily represent those of the company.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
