Hi all,
So here is the situation I`ve got 5 jails running on one interface(aliases) and I`ve setup pf to protect them, but it seems to be out of my league to configure pf not to allow communication between jails except if it isn`t especially mentioned in pf.conf.
Example:
Jail1 not to have ssh to Jail2 but to have mysql access.
My current pf.conf:
So here is the situation I`ve got 5 jails running on one interface(aliases) and I`ve setup pf to protect them, but it seems to be out of my league to configure pf not to allow communication between jails except if it isn`t especially mentioned in pf.conf.
Example:
Jail1 not to have ssh to Jail2 but to have mysql access.
My current pf.conf:
Code:
if="fxp0"
wolfdale="192.168.2.3"
yorkfield="192.168.2.4"
db="192.168.2.9"
web="192.168.2.10"
samba="192.168.2.11"
ftp="192.168.2.12"
backup="192.168.2.13"
hp1="15.0.0.0/8"
hp2="16.0.0.0/8"
megalan="80.13.55.0/24"
r2="78.90.106.6"
r1="192.168.2.1"
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43, ftp, ftp-data, >1024 }"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
set state-policy if-bound
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization none
scrub in all
antispoof log quick for $if
block in quick from urpf-failed
block all
set skip on lo
#### SSH
pass in quick log on $if inet proto tcp from $yorkfield os "Linux 2.6" to $wolfdale port 2094 flags S/SAFR synproxy state
pass in quick log on $if inet proto tcp from $yorkfield os "Linux 2.6" to $backup port 2094 flags S/SAFR synproxy state
#### HTTPD
pass in on $if inet proto tcp from any to $web port 80 flags S/SA synproxy state
#### FTP
pass in quick log on $if inet proto tcp from {$yorkfield, $wolfdale, $megalan, $hp1, $hp2, $r2} to $ftp port {21, > 49152 } flags S/SAFR synproxy state
#### Samba
pass in quick on $if inet proto tcp from $yorkfield to $samba port {445,139} keep state
#### Monit
pass in on $if inet proto tcp from $yorkfield to $wolfdale port 4056 flags S/SA synproxy state
#### Random out traffic - dosent conserns monitoring t.e can be disabled
pass out on $if proto tcp to any port $tcp_services
pass out on $if proto udp to any port $udp_services
pass inet proto icmp all icmp-type $icmp_types keep state
pass out on $if inet proto udp from any to any port 33433 >< 33626 keep state