The Setup: I've got a pretty simple setup... A FreeBSD 10.0 host with 3 jails on it. The host, and each jail are assigned a public IP address. The host runs PF that controls inbound and outbound traffic for itself and it's jails. All works really nicely. Here's a basic diagram:
HOST: IF: BCE0 - IP: 192.168.1.100
|
--- JAIL 1: IF BCE0: IP: 192.168.1.101
--- JAIL 2: IF BCE0: IP: 192.168.1.102
--- JAIL 3: IF BCE0: IP: 192.168.1.103
My Question: PF does a really good job controlling traffic to and from remote system. I have recently come across the need to limit traffic from jails on the host to other jails on the same host. I.E. HostA-JailA needs to not be able to communicate with HostA-JailB. What I am seeing, however, is that because all these jails share a single interface, the traffic must not be going through PF as it is just seen as local traffic.
I briefly tried to bring up a jail on another interface (lo1 for example) and use NAT to provide it with its connectivity, but even then the local traffic was still not filterable.
There's got to be a way, but my brain hasn't thought of it yet. Any advice would be amazing, thanks so much ahead of time!
HOST: IF: BCE0 - IP: 192.168.1.100
|
--- JAIL 1: IF BCE0: IP: 192.168.1.101
--- JAIL 2: IF BCE0: IP: 192.168.1.102
--- JAIL 3: IF BCE0: IP: 192.168.1.103
My Question: PF does a really good job controlling traffic to and from remote system. I have recently come across the need to limit traffic from jails on the host to other jails on the same host. I.E. HostA-JailA needs to not be able to communicate with HostA-JailB. What I am seeing, however, is that because all these jails share a single interface, the traffic must not be going through PF as it is just seen as local traffic.
I briefly tried to bring up a jail on another interface (lo1 for example) and use NAT to provide it with its connectivity, but even then the local traffic was still not filterable.
There's got to be a way, but my brain hasn't thought of it yet. Any advice would be amazing, thanks so much ahead of time!