On Wed, Nov 14, 2007 at 04:13:25PM +0100, Johan Ström wrote:
> On Nov 14, 2007, at 16:00 , Michael W. Lucas wrote:
> > If the jail is bound to the external NIC, won't it try to talk to the
> > other jail on that NIC and not on lo0?
>
> When talking to external world, it goes through em0. However when two jails
> are talking to each other it seems to go over lo0 (since its actually local
> traffic I guess?)
> Some tcpdumping (on em0, lo0, pflog0) led me to this, but havent realy found
> much docs/examples on pf & jails.
I suggest you to separate per-interface filtering from jail filtering.
For example, you may have something like this (written on the fly, so
syntax may not be acurate):
% # Does it deserve a comment? :-)
% block all
% pass quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8
%
% # Let each jail talk to itself. Idem for host.
% pass quick inet from $host to $host
% pass quick inet from $jail1 to $jail1
% pass quick inet from $jail2 to $jail2
% pass quick inet from $jail3 to $jail3
%
% #
% # Input path.
%
% # Host filtering: allow ssh from all but jails.
% pass in to $host port ssh keep state
%
% # Restrict incoming jail traffic.
% block inet from { $jail1 $jail2 $jail3 }
%
% # Jail1 filtering: allow ssh and smtp, including from other jails.
% pass in inet to $jail1 port { ssh smtp } keep state
%
% # Jail2 filtering: ...
% ...
%
% #
% # Output path
%
% # Host filtering: everything it allowed.
% pass out inet from $host keep state
%
% # Jail1 filtering: smtp and dns.
% pass out inet tcp from $jail1 to any port smtp keep state
% pass out inet udp from $jail1 to $dns port domain keep state
%
% # Jail2 filtering: ...
% ...
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
