Date: Thu, 5 May 2016 22:16:18 -0600 From: Alan Somers <asomers@freebsd.org> To: Julian Elischer <julian@freebsd.org> Cc: Shawn Debnath <sd@beastie.io>, Kristof Provost <kristof@sigsegv.be>, FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: How to use pf with vimage jails? Message-ID: <CAOtMX2gmrysN6wb_SWT9mrukB8C9_hiw0P71pD8WEZ1vmBrnLA@mail.gmail.com> In-Reply-To: <3ed0ddc2-3439-19fb-3075-8b5079cc5731@freebsd.org> References: <CAOtMX2jtxjUxiOv_LqO8Gg5AhXrSBb%2BWatCktx7y03w=st=w3w@mail.gmail.com> <67045371-07B8-4718-8A8B-98E3FBFF994E@sigsegv.be> <CAOtMX2hLhLGPU%2B6qb9ROd1P3vvazb_k3K6p0Q5A5a-znVzJQcg@mail.gmail.com> <20160504155915.GD4796@beastie.io> <3ed0ddc2-3439-19fb-3075-8b5079cc5731@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 4, 2016 at 11:49 PM, Julian Elischer <julian@freebsd.org> wrote: > On 4/05/2016 11:59 PM, Shawn Debnath wrote: > >> On 05/04, Alan Somers wrote: >> >>> Then maybe it's the bridged aspect that's screwing me up. Is there a >>> guide >>> for using pf on bridged interfaces? All I can find is this guide for >>> ipfw. >>> >> I ran into a similar issue recently and decided to write up an article on >> my site that documents how to set up jails with VNET/VIMAGE using a bridge >> on the host. This might help you: >> >> >> http://shawndebnath.com/articles/2016/03/27/freebsd-jails-with-vlan-howto.html >> >> If you see any errors, do let me know and I will get those fixed up. >> > > devin just committed some sample code to share/examples > > https://svnweb.freebsd.org/base/head/share/examples/jails/ > > there is also some code in > https://svnweb.freebsd.org/base/head/share/examples/netgraph/ > > that may be relevant, but uses netgraph bridging. > > > >> Thanks, >> Shawn >> >> I finally found a configuration that works, but there were two surprises. First, I had to set net.link.bridge.pfil_member=1. Second, I essentially had to double all rules; they must be written once for the physical interface and once for the virtual interface. Here is an example pf.conf file: communication to the jail host uses em0 only. em1 is reserved as the bridge for various jails' vnet interfaces. The www jail uses vnet0. The rules allow inbound traffic only on ports 80 and 443, but any outbound traffic. www_services = "{ http, https }" host_iface = "em0" dmz_iface = "em1" www_jail_iface = "vnet0:1" www_ip = "192.168.0.40" set state-policy if-bound scrub in block in all block out all pass in on $host_iface pass out on $host_iface set skip on lo0 pass in on $dmz_iface pass out on $www_jail_iface proto tcp to $www_ip port $www_services pass in on $www_jail_iface keep state pass out on $dmz_iface Thanks for all the suggestions. -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2gmrysN6wb_SWT9mrukB8C9_hiw0P71pD8WEZ1vmBrnLA>