On 10/9/2013 3:54 PM, Uro Gruber wrote:
Hi,
I'm strugling to complete my pf firewall configuration with a bit more
optimized rules.
I have a few hudreds jails set up on network from 172.16.1.0 to 172.16.10.0
My goal is to deny access between jails, but allow a few exceptions for
example all jails can connect to jails from 172.16.1.0 to 172.16.1.64.
I've accomplished this with rules like
pass on lo0 from $jailnet to 172.16.1.0/26
pass on lo0 from 172.16.1.1 to 172.16.1.1
I would like to know if there is a better way to write such rules mostly
because all that jails are very dynamic in terms of
runing,stoping/destroying etc. and also IP aliases are removed and added
back continuously.
Use an anchor for the "pass on lo0 from X to X" rules and a table for
the jailnet. Then have your jail provisioning scripts manipulate the
table and anchor as jails come up and down.
In /etc/pf.conf:
table <jailnet> persist
pass on lo0 from <jailnet> to 172.16.1.0/26
anchor <jails>
When bringing up a jail:
# pfctl -t jailnet -T add 192.0.2.65
# pfctl -a jails -f - <<<"pass on lo0 from 192.0.2.65 to 192.0.2.65"
When taking down a jail:
# pfctl -t jailnet -T delete 192.0.2.65
# pfctl -a jails -f - <<<"block on lo0 from 192.0.2.65 to 192.0.2.65"
# pfctl -k 192.0.2.65
You'll need to reload the table and anchor rules on a system restart.
You can do that with rules in /etc/pf.conf:
table <jailnet> persist /path/to/jailnet_address_list
load anchor jails from /path/to/jails_rules_list
or directly using pfctl:
# pfctl -t jailnet -Ta -f /path/to/jailnet_address_list
# pfctl -a jails -f /path/to/jails_rules_list
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
