Date: Mon, 14 Oct 2013 22:30:06 +0200 From: =?UTF-8?B?VXJvxaEgR3J1YmVy?= <uros.gruber@gmail.com> To: Darren Pilgrim <list_freebsd@bluerosetech.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF rule question Message-ID: <CAHGMo97h8TX17zEsdQD-K6D4bWDnrP_0XUTsz=bJKtCO3-v8cA@mail.gmail.com> In-Reply-To: <CAHGMo96DZT%2BhTjGUibgZy4Q_g_-tJ54oeoRsMWfLZCFvbqnf3w@mail.gmail.com> References: <CAHGMo946%2BZmz1tpn1b=PjLTvSfEa9EMRXKypuyTM7X65yhow1w@mail.gmail.com> <525B41EA.8000501@bluerosetech.com> <CAHGMo96DZT%2BhTjGUibgZy4Q_g_-tJ54oeoRsMWfLZCFvbqnf3w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, one way of doing it is something like this: ( pfctl -a jails -sr ; echo "pass on lo0 from 192.0.2.65 to 192.0.2.65" ) | pfctl -a jails -f - But still, it's only for add the rule to the anchor. I need to work on something for delete the rule :) Regards Uros On 14 October 2013 22:20, Uro=C5=A1 Gruber <uros.gruber@gmail.com> wrote: > Hi Darren, > > I thought about anchors and also do some test with them. But the problem > I'm seeing is that I need to get list of all rules for all active jails > when starting or stopping a jail. At least I don't see a way to add or > remove the rule from anchor except to replace all anchor rules. > > Am I missing something here or that was your idea? > > Regards > > Uros > > > On 14 October 2013 02:59, Darren Pilgrim <list_freebsd@bluerosetech.com>w= rote: > >> On 10/9/2013 3:54 PM, Uro=C5=A1 Gruber wrote: >> >>> Hi, >>> >>> I'm strugling to complete my pf firewall configuration with a bit more >>> optimized rules. >>> >>> I have a few hudreds jails set up on network from 172.16.1.0 to >>> 172.16.10.0 >>> >>> My goal is to deny access between jails, but allow a few exceptions for >>> example all jails can connect to jails from 172.16.1.0 to 172.16.1.64. >>> >>> I've accomplished this with rules like >>> >>> pass on lo0 from $jailnet to 172.16.1.0/26 >>> pass on lo0 from 172.16.1.1 to 172.16.1.1 >>> >>> I would like to know if there is a better way to write such rules mostl= y >>> because all that jails are very dynamic in terms of >>> runing,stoping/destroying etc. and also IP aliases are removed and adde= d >>> back continuously. >>> >> >> Use an anchor for the "pass on lo0 from X to X" rules and a table for th= e >> jailnet. Then have your jail provisioning scripts manipulate the table = and >> anchor as jails come up and down. >> >> In /etc/pf.conf: >> >> table <jailnet> persist >> pass on lo0 from <jailnet> to 172.16.1.0/26 >> anchor <jails> >> >> When bringing up a jail: >> >> # pfctl -t jailnet -T add 192.0.2.65 >> # pfctl -a jails -f - <<<"pass on lo0 from 192.0.2.65 to 192.0.2.65" >> >> When taking down a jail: >> >> # pfctl -t jailnet -T delete 192.0.2.65 >> # pfctl -a jails -f - <<<"block on lo0 from 192.0.2.65 to 192.0.2.65" >> # pfctl -k 192.0.2.65 >> >> You'll need to reload the table and anchor rules on a system restart. Yo= u >> can do that with rules in /etc/pf.conf: >> >> table <jailnet> persist /path/to/jailnet_address_list >> load anchor jails from /path/to/jails_rules_list >> >> or directly using pfctl: >> >> # pfctl -t jailnet -Ta -f /path/to/jailnet_address_list >> # pfctl -a jails -f /path/to/jails_rules_list >> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHGMo97h8TX17zEsdQD-K6D4bWDnrP_0XUTsz=bJKtCO3-v8cA>