Hello forums.freebsd.org!
A couple of mates and I have invested in a dedicated server with the intention of running seperate jailed systems for each of us and locking down the host system ( although we all have root access to it ).
The jails are configured and running well, and I have just recently implemented a basic PF setup.
In an effort to minimize our need to log in to the host system, I am trying to allow us to define our own PF rulesets within our jails ( obviously restricted to our jailed IPs ).
I can see that using PF's anchor feature is likely our best best, my initial configuration is something like:
host system:
jailed system:
This works as expected however I see two problems.
PF still needs to have its rules reloaded for any changes to jailed pf.conf to be accounted for. I feel this can be done with a simple crontab entry on the host, but..
If the jailed system pf.conf is invalid, the above method of refreshing the ruleset will fail without notifying the jail owner. This would cause any other anchors to become stale.
Also, we are interested in graphing our combined and individual bandwidth usage. I've had success using pfstat and symon, however neither of these appear to allow graphing traffic to/from a particular IP, instead showing only total traffic for a particular interface.
Any suggestions on how to proceed?
A couple of mates and I have invested in a dedicated server with the intention of running seperate jailed systems for each of us and locking down the host system ( although we all have root access to it ).
The jails are configured and running well, and I have just recently implemented a basic PF setup.
In an effort to minimize our need to log in to the host system, I am trying to allow us to define our own PF rulesets within our jails ( obviously restricted to our jailed IPs ).
I can see that using PF's anchor feature is likely our best best, my initial configuration is something like:
host system:
Code:
# /etc/pf.conf on HOST
sys_host = 192.168.0.1
sys_wrs = 192.168.0.2
set loginterface rl0
set skip on lo0
block in all
# Allow incomming SSH connections to HOST
pass in quick on rl0 proto tcp from any to $sys_host port 22 keep state
# Jailed host 'wrs'
# Always allow SSH
pass in quick on rl0 proto tcp from any to $sys_wrs port 22 keep state
anchor wrs in on rl0 from any to $sys_wrs
load anchor wrs from "/usr/jails/jail_wrs/etc/pf.conf
pass out all keep state
jailed system:
Code:
# /etc/pf.conf on JAIL_WRS
pass in proto tcp from any to any port 80 keep state
This works as expected however I see two problems.
PF still needs to have its rules reloaded for any changes to jailed pf.conf to be accounted for. I feel this can be done with a simple crontab entry on the host, but..
If the jailed system pf.conf is invalid, the above method of refreshing the ruleset will fail without notifying the jail owner. This would cause any other anchors to become stale.
Also, we are interested in graphing our combined and individual bandwidth usage. I've had success using pfstat and symon, however neither of these appear to allow graphing traffic to/from a particular IP, instead showing only total traffic for a particular interface.
Any suggestions on how to proceed?