Hello, I have a server with multiple jails of different types (service jails, user jails, ...). In my rc.conf I have (the relevant parts):
# Host ifconfig_bge0="a.b.c.242 netmask 255.255.255.240" # Host ifconfig_bge0_alias0="a.b.c.243 netmask 255.255.255.255" # Common defaultrouter="a.b.c.241" # Jails cloned_interfaces="lo1 lo2" ifconfig_lo1="10.1.1.1 netmask 255.255.255.0" ifconfig_lo2="10.1.2.1 netmask 255.255.255.0" jail_first_ip="a.b.c.244" jail_first_interface="bge0 netmask 255.255.255.240" jail_second_ip="10.1.1.13" jail_second_interface="lo1 netmask 255.255.255.0" jail_third_ip="10.1.2.10" jail_third_interface="lo2 netmask 255.255.255.0" Now I would like to do firewalling between these jails. So that users of the second and the third jail can't ssh to first jail, for example. I thought this could be done by simply doing: - block log all - pass on lo0 all - [define other pass rules like: pass out on lo1 from ... to ...) But then I realized that all the traffic which travels between jails themselves and between jails and the host, is only "visible" on lo0 interface. So I guess this done by design. So my only option would be blocking all on lo0 and then doing pass rules only on lo0? I guess this is harder, because I need to observe carefully what needs to be passed on lo0 in order not to break anything? How do you do it? Thanks, Nejc _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
