Ok, one way of doing it is something like this: ( pfctl -a jails -sr ; echo "pass on lo0 from 192.0.2.65 to 192.0.2.65" ) | pfctl -a jails -f -
But still, it's only for add the rule to the anchor. I need to work on something for delete the rule :) Regards Uros On 14 October 2013 22:20, Uroš Gruber <[email protected]> wrote: > Hi Darren, > > I thought about anchors and also do some test with them. But the problem > I'm seeing is that I need to get list of all rules for all active jails > when starting or stopping a jail. At least I don't see a way to add or > remove the rule from anchor except to replace all anchor rules. > > Am I missing something here or that was your idea? > > Regards > > Uros > > > On 14 October 2013 02:59, Darren Pilgrim <[email protected]>wrote: > >> On 10/9/2013 3:54 PM, Uroš Gruber wrote: >> >>> Hi, >>> >>> I'm strugling to complete my pf firewall configuration with a bit more >>> optimized rules. >>> >>> I have a few hudreds jails set up on network from 172.16.1.0 to >>> 172.16.10.0 >>> >>> My goal is to deny access between jails, but allow a few exceptions for >>> example all jails can connect to jails from 172.16.1.0 to 172.16.1.64. >>> >>> I've accomplished this with rules like >>> >>> pass on lo0 from $jailnet to 172.16.1.0/26 >>> pass on lo0 from 172.16.1.1 to 172.16.1.1 >>> >>> I would like to know if there is a better way to write such rules mostly >>> because all that jails are very dynamic in terms of >>> runing,stoping/destroying etc. and also IP aliases are removed and added >>> back continuously. >>> >> >> Use an anchor for the "pass on lo0 from X to X" rules and a table for the >> jailnet. Then have your jail provisioning scripts manipulate the table and >> anchor as jails come up and down. >> >> In /etc/pf.conf: >> >> table <jailnet> persist >> pass on lo0 from <jailnet> to 172.16.1.0/26 >> anchor <jails> >> >> When bringing up a jail: >> >> # pfctl -t jailnet -T add 192.0.2.65 >> # pfctl -a jails -f - <<<"pass on lo0 from 192.0.2.65 to 192.0.2.65" >> >> When taking down a jail: >> >> # pfctl -t jailnet -T delete 192.0.2.65 >> # pfctl -a jails -f - <<<"block on lo0 from 192.0.2.65 to 192.0.2.65" >> # pfctl -k 192.0.2.65 >> >> You'll need to reload the table and anchor rules on a system restart. You >> can do that with rules in /etc/pf.conf: >> >> table <jailnet> persist /path/to/jailnet_address_list >> load anchor jails from /path/to/jails_rules_list >> >> or directly using pfctl: >> >> # pfctl -t jailnet -Ta -f /path/to/jailnet_address_list >> # pfctl -a jails -f /path/to/jails_rules_list >> > > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
