From owner-freebsd-pf@freebsd.org Sun Aug 7 17:20:48 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19859BB124F; Sun, 7 Aug 2016 17:20:48 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DE2DC1E25; Sun, 7 Aug 2016 17:20:47 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it0-x235.google.com with SMTP id f6so64569778ith.0; Sun, 07 Aug 2016 10:20:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-transfer-encoding; bh=OyXezNfgjsegxdPkMxf9QmC5mOusqWg5d3kQ9t0sJTQ=; b=cmWDO5xHcO2u4dYuK7VFC6kPdCarqPqfm7YBFeumMukwO8DZ9e1wyGxIVH4vcSvOeT QOqD/cT92DfHcya7Sf9eUDnagQJ1/m9yhZzxret4itlrmkFiYQJPHkOmqov2HzcDg5y/ hLGipVqDrUBdgRvq2tJd6jcuzOnsfCQEudJvgNhbX1oHLvNrMwhF3+J/lNdJgbvKHcmg Yu8S2WkYbDuqeac95ha5Q/rpMdrLFSs9rQGgSawWyyOpcZtyvwNYaGmyp0Ahp1fqHMWP 0hB8m8HZBUE5VBiyVigffZf1ViXpuA886MNlIKWv8hNFEmuOn6GQYqdYJrn6esboXYTA mm+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-transfer-encoding; bh=OyXezNfgjsegxdPkMxf9QmC5mOusqWg5d3kQ9t0sJTQ=; b=dFrRBStVqR9/rKHrRzXPtgtMjXtTF2GoQiwbamJ+qCdA6RoZQAoolCkKgenXgBRt1R 8Lvte7QoEBJ4xGO/5ZOF7c27/MxS2Z2MRor6X7Sy1wEthEL71xGbepnWN+zwZUHoB/vZ LaD++M0fue9wGbdj2J4/QjP8uH7Ufnwu0QMelMFajaFKbwp+qz1Q87ljDoX5tUOiH/e9 Nuxxf2cmtCNDFHGX9yaqhIyUfPal/DnqMGQ0dIPnWOFxOTQNRdCGbhsEyPKAmvHMc6tK aTFro1CmFjTBzA+nWr4qtwusmf2fG7KjK7Jq8JBpMqzWw14OiiprdWKdv+39VRG1DvHW LF0w== X-Gm-Message-State: AEkoouvz4cHttus1rlae8Cdm/C6+6aAiZ8lmHvp+4fo8L+ahEBnqbFAl118fAJpHhZSdsg== X-Received: by 10.36.82.81 with SMTP id d78mr13713774itb.65.1470590446990; Sun, 07 Aug 2016 10:20:46 -0700 (PDT) Received: from [10.0.10.3] (cpe-24-165-196-54.neo.res.rr.com. [24.165.196.54]) by smtp.googlemail.com with ESMTPSA id 4sm8368004itw.4.2016.08.07.10.20.46 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 07 Aug 2016 10:20:46 -0700 (PDT) Message-ID: <57A76DF6.6090905@gmail.com> Date: Sun, 07 Aug 2016 13:20:54 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: freebsd-pf@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Firewalling jails and lo0 References: <20160806155411.GA5289@len-t420.klaas> <3C1C4822-17C2-42D9-A9BE-C3549B9B6F25@lists.zabbadoz.net> <20160807082651.GA87754@box-hlm-03.niklaas.eu> <57A743A8.10005@gmail.com> <20160807152347.GA9178@len-t420.klaas> In-Reply-To: <20160807152347.GA9178@len-t420.klaas> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2016 17:20:48 -0000 Niklaas Baudet von Gersdorff wrote: > Ernie Luzar [2016-08-07 10:20 -0400] : > >> I believe the loopback interface lo1 needs 127.0.0.0/8 ip address to enable >> loopback functionally, and the ip address has to be a different sub-net. IE >> 127.0.10.1 for lo1 while the hosts lo0 uses 127.0.0.1 > > Aha. So once I assigned those traffic from/to jails should go > through lo1 solely? > > Niklaas YES. I am still missing info on your jail.conf. Post the jail.conf file for the jails in question. Also what services are running on the host that you want to communicate with the smtp jail. You have to change the smtp config file to tell it to use the new lo1:127.0.10.2 ip address and you have to do the same thing for what ever host service will communicate with the smtp jail. They all have to be using the same lo1:127.0.10.2 ip. Most admin just keep those types of services on the host because its just easier.