# PF access/stats within jailed system



## wrs (Dec 8, 2009)

Hello forums.freebsd.org!

A couple of mates and I have invested in a dedicated server with the intention of running seperate jailed systems for each of us and locking down the host system ( although we all have root access to it ). 

The jails are configured and running well, and I have just recently implemented a basic PF setup.

In an effort to minimize our need to log in to the host system, I am trying to allow us to define our own PF rulesets within our jails ( obviously restricted to our jailed IPs ).

I can see that using PF's anchor feature is likely our best best, my initial configuration is something like:

*host system*:

```
# /etc/pf.conf on HOST
sys_host = 192.168.0.1
sys_wrs  = 192.168.0.2

set loginterface rl0
set skip on lo0
block in all

# Allow incomming SSH connections to HOST
pass in quick on rl0 proto tcp from any to $sys_host port 22 keep state

# Jailed host 'wrs'
# Always allow SSH
pass in quick on rl0 proto tcp from any to $sys_wrs port 22 keep state
anchor wrs in on rl0 from any to $sys_wrs
load anchor wrs from "/usr/jails/jail_wrs/etc/pf.conf

pass out all keep state
```

*jailed system*:

```
# /etc/pf.conf on JAIL_WRS
pass in proto tcp from any to any port 80 keep state
```

This works as expected however I see two problems.

PF still needs to have its rules reloaded for any changes to jailed pf.conf to be accounted for. I feel this can be done with a simple crontab entry on the host, but..

If the jailed system pf.conf is invalid, the above method of refreshing the ruleset will fail without notifying the jail owner. This would cause any other anchors to become stale.

Also, we are interested in graphing our combined and individual bandwidth usage. I've had success using pfstat and symon, however neither of these appear to allow graphing traffic to/from a particular IP, instead showing only total traffic for a particular interface.

Any suggestions on how to proceed?


----------



## Voltar (Dec 8, 2009)

What version of FreeBSD are you running? 8.0 introduced vimage (network stack virtualization, not sure if it is in the 7 branch at all), so you could have you pf rules for each jail, in the jail, loaded from the jail.




			
				wrs said:
			
		

> PF still needs to have its rules reloaded for any changes to jailed pf.conf to be accounted for. I feel this can be done with a simple crontab entry on the host, but..
> 
> If the jailed system pf.conf is invalid, the above method of refreshing the ruleset will fail without notifying the jail owner. This would cause any other anchors to become stale.



You could have your cron script check the rule sets before actually loading them, e.g. `# pfctl -n -f /path/to/pf.conf`, and if they fail the test, don't load them and/or send an email to that jail's owner. 





> Also, we are interested in graphing our combined and individual bandwidth usage. I've had success using pfstat and symon, however neither of these appear to allow graphing traffic to/from a particular IP, instead showing only total traffic for a particular interface.



I've only graphed data transfer from the interface or a switch using snmp data. I'd be interested to know this too.


----------



## wrs (Dec 8, 2009)

We're running 8.0.

I had noticed _vimage_ mentioned in the release notes but was unable to find any other documentation, where have I missed ?


----------



## Voltar (Dec 8, 2009)

There's a few threads here around here about it, this might be of help.

I'm still in the process of setting it up on my dev box, so I can't be too much help yet. I know you need the vimage option in your kernel config and the tools installed.


----------

