On Nov 14, 2007, at 18:24 , Jeremie Le Hen wrote:
On Wed, Nov 14, 2007 at 04:13:25PM +0100, Johan Ström wrote:
On Nov 14, 2007, at 16:00 , Michael W. Lucas wrote:
If the jail is bound to the external NIC, won't it try to talk to
the
other jail on that NIC and not on lo0?
When talking to external world, it goes through em0. However when
two jails
are talking to each other it seems to go over lo0 (since its
actually local
traffic I guess?)
Some tcpdumping (on em0, lo0, pflog0) led me to this, but havent
realy found
much docs/examples on pf & jails.
I suggest you to separate per-interface filtering from jail filtering.
For example, you may have something like this (written on the fly, so
syntax may not be acurate):
% # Does it deserve a comment? :-)
% block all
% pass quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8
%
% # Let each jail talk to itself. Idem for host.
% pass quick inet from $host to $host
% pass quick inet from $jail1 to $jail1
% pass quick inet from $jail2 to $jail2
% pass quick inet from $jail3 to $jail3
%
% #
% # Input path.
%
% # Host filtering: allow ssh from all but jails.
% pass in to $host port ssh keep state
%
% # Restrict incoming jail traffic.
% block inet from { $jail1 $jail2 $jail3 }
%
% # Jail1 filtering: allow ssh and smtp, including from other jails.
% pass in inet to $jail1 port { ssh smtp } keep state
%
% # Jail2 filtering: ...
% ...
%
% #
% # Output path
%
% # Host filtering: everything it allowed.
% pass out inet from $host keep state
%
% # Jail1 filtering: smtp and dns.
% pass out inet tcp from $jail1 to any port smtp keep state
% pass out inet udp from $jail1 to $dns port domain keep state
%
% # Jail2 filtering: ...
% ...
Thanks, that seemd to get it working! I changed all my rules from ie:
pass in on {lo0 em0} inet proto tcp from any to $jail1 port smtp
flags S/SA modulate state
to
pass on {lo0 em0} inet proto tcp from any to $jail1 port smtp flags S/
SA modulate state
Now the traffic can pass fine between the jails, the only downside is
that two states are created for every connection:
self tcp jail1:64394 -> jail2:25 ESTABLISHED:ESTABLISHED
[400582164 + 66609](+3236511002) wscale 1 [4169925279 + 66608]
(+667722356) wscale 1
age 00:00:03, expires in 23:59:57, 3:2 pkts, 168:152 bytes, rule 32
self tcp jail2:25 <- jail1:64394 ESTABLISHED:ESTABLISHED
[3221340972 + 66608](+948584307) wscale 1 [3637093166 + 66609]
(+2363038978) wscale 1
age 00:00:03, expires in 23:59:57, 3:2 pkts, 168:152 bytes, rule 32
Im not sure if there is any real downside to this except for the
extra memory used (and I guess it migh impact table lookup times
depending on number of records/algorithm).
Note that there are only 2 states created when sending jail-to-jail
traffic. For regular traffic from outside-to-jail only a single state
is created as usual.
