PF pf and alias filtering

abishai

Aspiring Daemon

Reaction score: 170
Messages: 732

I have several aliases on em0 interface (all of them are 10.0.1.0/24) for my jails, however in this scheme I can't limit jail to jail connectivity.

Even if I set block all in pf rule, jails can connect to each other. Is this some kind of limitation of aliases?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,751
Messages: 30,832

Traffic never passes through the interface so PF is completely oblivious to it.
 

kpa

Beastie's Twin

Reaction score: 1,809
Messages: 6,318

That's because lo1 is a different interface on the system. Just look at the ifconfig output, it certainly is not the same interface as your main network interface. If the traffic traverses across different interfaces PF is able to filter that traffic.
 
OP
OP
A

abishai

Aspiring Daemon

Reaction score: 170
Messages: 732

That's because lo1 is a different interface on the system. Just look at the ifconfig output, it certainly is not the same interface as your main network interface. If the traffic traverses across different interfaces PF is able to filter that traffic.
The same means 'the same conditions, but with lo1'
Here is config
Code:
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.2.1 netmask 255.255.255.0 up"
ifconfig_lo1_alias0="inet 10.0.2.2 netmask 255.255.255.255"
ifconfig_lo1_alias1="inet 10.0.2.3 netmask 255.255.255.255"
ifconfig_lo1_alias2="inet 10.0.2.4 netmask 255.255.255.255"
ifconfig_lo1_alias3="inet 10.0.2.5 netmask 255.255.255.255"
ifconfig_lo1_alias4="inet 10.0.2.6 netmask 255.255.255.255"
ifconfig_lo1_alias5="inet 10.0.2.7 netmask 255.255.255.255"
ifconfig_lo1_alias6="inet 10.0.2.8 netmask 255.255.255.255"
ifconfig_lo1_alias7="inet 10.0.2.9 netmask 255.255.255.255"
Jails are binded to aliases.

pf can filter traffic coming from one jail to another.
If I block all, no communication possible, I have to write rules like
Code:
pass on $jail inet proto tcp from $jail:network to $j_database port 5432                        no state        # POSTGRESQL
pass on $jail inet proto tcp from $j_database port 5432 to $jail:network                        no state        # POSTGRESQL
For example, commenting this out means immediately connectivity loss to database server. So, the original question was: where is the difference?
Code:
root@web:/ # telnet 10.0.2.3 5432
Trying 10.0.2.3...
Connected to database.abinet.ru.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
Anyone here?
Code:
abishai@abinet:~ % doas tcpdump -i lo1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo1, link-type NULL (BSD loopback), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
No.
Adding
Code:
block in quick on $jail inet proto tcp from 10.0.2.4 to $j_database
to firewall
Code:
root@web:/ # telnet 10.0.2.3 5432
Trying 10.0.2.3...
Bye-bye, it is good to be admin of localhost :p
 

leebrown66

Well-Known Member

Reaction score: 134
Messages: 401

As SirDice said, the em0 interface never receives those packets, therefore they do not get processed by PF. The only way a packet arrives on the NIC is over the wire.
The lo interface is purely software though, so PF does see packets sent via that interface.
 
OP
OP
A

abishai

Aspiring Daemon

Reaction score: 170
Messages: 732

As SirDice said, the em0 interface never receives those packets, therefore they do not get processed by PF. The only way a packet arrives on the NIC is over the wire.
The lo interface is purely software though, so PF does see packets sent via that interface.
What solution can be for jails and em0 in the same /24 network with pf support? A bridge with lo1 and em0 ?
 

leebrown66

Well-Known Member

Reaction score: 134
Messages: 401

(I am not a PF guy, nor do I setup my jails this way):
I would think you need a loopback address for each jail, then NAT that to your various NIC addresses.
 
OP
OP
A

abishai

Aspiring Daemon

Reaction score: 170
Messages: 732

All traffic from jail to jail is flowing through loopback (lo0).
The solution is not o skip lo0 in pf.conf, but set rules for it.
For example,
Code:
pass in on $int_if inet proto tcp from $lan_webserver to $lan_database port postgresql
where $int_if is lo0 and $lan_* are aliases of em0
 
Top