# [Problem] ezjail, pf and loopback interface routing rules



## Preacher (Sep 6, 2014)

I've got a bit of a problem. I have a host machine: FreeBSD version 10.0-RELEASE-p7.

On that host machine I have a bunch of jails created using ezjail.

My goal is as follows:
a) To isolate the jails from the host system (important one that is kind of the idea, I think, of a jail).
b) To isolate the jails form each other with exception of some rules, so that jails may still use each other's services, to the extent that it is necessary.

Each jail has a local IP-address such as 192.168.1.1/24, 192.168.1.2/24, etc. each bound to a different cloned loopback interface.

Problem with goal a): I have a firewall (pf) active on the host system with which I tried to filter out connections from the jails to the host system. But it still does not work. I have tried numerous options. Sometimes it seemed to work for a while, but maybe something changed, and then it did not, I don't know anymore, tried many things in /etc/pf.conf, like blocking based on IP-address in combination with lo0 (because it is the interface that is cloned), tried blocking the cloned interfaces itself, etc. etc.

What does work is throw out some routing rules attached to the cloned loopback interfaces. It seems that for each interface a route is attached to lo0 and the cloned interfaces may then access that. So I decided to add the following lines to /etc/rc.conf:

```
static_routes="jailrestrict1 jailrestrict2 jailrestrict3"
route_jailrestrict1="-host <local ip of interface inside host system> 0.0.0.0"
route_jailrestrict2="-host <local ip of interface inside host system> 0.0.0.0"
route_jailrestrict3="-host <local ip of interface inside host system> 0.0.0.0"
```

It's probably perfectly normal that such routes are added to lo0. Anyway, it kind of works this way, except for some applications that add their own route after those jailrestrict routing rules have been added, so then the static rules get overridden.

Has this problem happened to anyone else? I usually read about people having problems with giving Internet access to jails. But I've got it the other way around.

Also tried adjusting my NAT-rules in /etc/pf.conf.

Any advice?


----------



## Preacher (Sep 6, 2014)

*Re: [Problem] ezjail, pf and loopback interface routing rule*

Never mind, I now have a working block rule.

I just do something like this:
`block in on lo0 from { <jail_table> } to $IP_INT
block in on lo0 from { <jail_table> } to $IP_PUB
block in on lo0 from { <jail_table> } to $IP_VPN`

I think I was just too tired to think straight. Now I've got a solution to at least goal a). At least they can't right away SSH into my host machine now, should they break into a jail.


----------

