I would like to completely isolate jail from the local network but on the other side keep it accessible from the internet. Since I wasn't able to block it using the aliases I have tried to setup another jail behind PF NAT. And I got myself into same problem, I can block access to gateway router (192.168.1.1) by not doing NAT for 192.168.1.1/24 and allowing it for all other addresses (any).
But I got into same problem as with alias, the 192.168.1.1 is not accessible from jail, but bsd host (192.168.1.150) running jails is. This is really killing me, I do understand that pf can't filter all the traffic due to internal optimizations on network traffic but I just can't believe that there is no way to protect local network from potentially defaced jail.
I guess I am missing something
Any help?
Code:
nat on $ext_if from $jail to { ! 192.168.1.1/24, any} -> ($ext_if)
But I got into same problem as with alias, the 192.168.1.1 is not accessible from jail, but bsd host (192.168.1.150) running jails is. This is really killing me, I do understand that pf can't filter all the traffic due to internal optimizations on network traffic but I just can't believe that there is no way to protect local network from potentially defaced jail.
I guess I am missing something

Last edited by a moderator: