# Deny connection between jails with pf



## click (Aug 26, 2010)

Hi all,

So here is the situation I`ve got 5 jails running on one interface(aliases) and I`ve setup pf to protect them, but it seems to be out of my league to configure pf not to allow communication between jails except if it isn`t especially mentioned in pf.conf.

Example:
Jail1 not to have ssh to Jail2 but to have mysql access.

My current pf.conf:

```
if="fxp0"
wolfdale="192.168.2.3"
yorkfield="192.168.2.4"
db="192.168.2.9"
web="192.168.2.10"
samba="192.168.2.11"
ftp="192.168.2.12"
backup="192.168.2.13"
hp1="15.0.0.0/8" 
hp2="16.0.0.0/8"
megalan="80.13.55.0/24"
r2="78.90.106.6"
r1="192.168.2.1"


tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43, ftp, ftp-data, >1024 }"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"



set state-policy if-bound
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization none

scrub in all

antispoof log quick for $if

block in quick from urpf-failed
block all
set skip on lo
#### SSH
pass in quick log on $if inet proto tcp from $yorkfield os "Linux 2.6" to $wolfdale port 2094 flags S/SAFR synproxy state
pass in quick log on $if inet proto tcp from $yorkfield os "Linux 2.6" to $backup port 2094 flags S/SAFR synproxy state 

#### HTTPD
pass in on $if inet proto tcp from any to $web port 80 flags S/SA synproxy state

#### FTP
pass in quick log on $if inet proto tcp from {$yorkfield, $wolfdale, $megalan, $hp1, $hp2, $r2} to $ftp port {21, > 49152 } flags S/SAFR synproxy state


#### Samba
pass in quick on $if inet proto tcp from $yorkfield to $samba port {445,139} keep state

#### Monit
pass in on $if inet proto tcp from $yorkfield to $wolfdale port 4056 flags S/SA synproxy state

#### Random out traffic - dosent conserns monitoring t.e can be disabled
pass out on $if proto tcp to any port $tcp_services 
pass out on $if proto udp to any port $udp_services 
pass inet proto icmp all icmp-type $icmp_types keep state
pass out on $if inet proto udp from any to any port 33433 >< 33626 keep state
```


----------



## quintessence (Aug 26, 2010)

Hello,

To allow only access to mysql from jail1 to jail2


```
if="rl0" # with IP 192.168.1.1
jail1="192.168.1.2" # alias
jail2="192.168.1.3" # alias

block all

pass quick on $if inet proto tcp from $jail1 to $jail2 port 3306
```


----------



## click (Aug 26, 2010)

Yes, that worked to some extent (removing the skip on lo0) - I mean this way ssh to the host itself(not in jail) with flags S/SAFR synproxy state or flags S/SA synproxy state is dropped too. Is that normal? It is working fine without specified flags.


----------



## click (Aug 26, 2010)

Update: I`ve just tried the example given by  and it didn`t work I`ve removed the state-policy if-bound but without success. It seems that the communication between jail is on lo0?


```
[root@wolfdale ~]# tcpdump -i lo0 -c 10 not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
13:41:49.149473 IP web.47080 > db.3306: Flags [S], seq 920068416, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 69276462 ecr 0], length 0
13:41:49.149488 IP db.3306 > web.47080: Flags [S.], seq 2379383675, ack 920068417, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 4098561493 ecr 69276462], length 0
13:41:49.149497 IP web.47080 > db.3306: Flags [.], ack 1, win 8960, options [nop,nop,TS val 69276462 ecr 4098561493], length 0
13:41:49.149673 IP db.3306 > web.47080: Flags [P.], ack 1, win 8960, options [nop,nop,TS val 4098561493 ecr 69276462], length 62
13:41:49.149700 IP web.47080 > db.3306: Flags [P.], ack 63, win 8960, options [nop,nop,TS val 69276462 ecr 4098561493], length 64
13:41:49.149722 IP db.3306 > web.47080: Flags [P.], ack 65, win 8960, options [nop,nop,TS val 4098561493 ecr 69276462], length 11
13:41:49.149760 IP web.47080 > db.3306: Flags [P.], ack 74, win 8960, options [nop,nop,TS val 69276462 ecr 4098561493], length 19
13:41:49.149802 IP db.3306 > web.47080: Flags [P.], ack 84, win 8960, options [nop,nop,TS val 4098561493 ecr 69276462], length 11
13:41:49.149818 IP web.47080 > db.3306: Flags [P.], ack 85, win 8960, options [nop,nop,TS val 69276462 ecr 4098561493], length 9
13:41:49.149844 IP db.3306 > web.47080: Flags [P.], ack 93, win 8960, options [nop,nop,TS val 4098561493 ecr 69276462], length 11
10 packets captured
60 packets received by filter
0 packets dropped by kernel
```

But applying the example for lo0 and fxp0 both didn`t work too.


----------



## click (Aug 26, 2010)

Update: Fix it 


```
scrub in on $if all
#antispoof log quick for $if
pass quick on lo0 inet proto tcp from $web to $db port 3306 keep state
```
You can mark my topic as Solved thanks for the help


----------

