On Wed, Nov 14, 2007 at 04:13:25PM +0100, Johan Ström wrote: > On Nov 14, 2007, at 16:00 , Michael W. Lucas wrote: > > If the jail is bound to the external NIC, won't it try to talk to the > > other jail on that NIC and not on lo0? > > When talking to external world, it goes through em0. However when two jails > are talking to each other it seems to go over lo0 (since its actually local > traffic I guess?) > Some tcpdumping (on em0, lo0, pflog0) led me to this, but havent realy found > much docs/examples on pf & jails.
I suggest you to separate per-interface filtering from jail filtering. For example, you may have something like this (written on the fly, so syntax may not be acurate): % # Does it deserve a comment? :-) % block all % pass quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8 % % # Let each jail talk to itself. Idem for host. % pass quick inet from $host to $host % pass quick inet from $jail1 to $jail1 % pass quick inet from $jail2 to $jail2 % pass quick inet from $jail3 to $jail3 % % # % # Input path. % % # Host filtering: allow ssh from all but jails. % pass in to $host port ssh keep state % % # Restrict incoming jail traffic. % block inet from { $jail1 $jail2 $jail3 } % % # Jail1 filtering: allow ssh and smtp, including from other jails. % pass in inet to $jail1 port { ssh smtp } keep state % % # Jail2 filtering: ... % ... % % # % # Output path % % # Host filtering: everything it allowed. % pass out inet from $host keep state % % # Jail1 filtering: smtp and dns. % pass out inet tcp from $jail1 to any port smtp keep state % pass out inet udp from $jail1 to $dns port domain keep state % % # Jail2 filtering: ... % ... -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >