# PF pass if source equals destination



## geekspark (Nov 20, 2012)

Without doing multiple rules like the below, is there a way to have a single rule that will pass/drop/etc if and only if a packet's source is EQUAL to it's destination

```
pass quick inet from 192.168.1.2 to 192.168.1.2 keep state
pass quick inet from 192.168.1.3 to 192.168.1.3 keep state
pass quick inet from 192.168.1.4 to 192.168.1.4 keep state
```


----------



## initpy (Nov 20, 2012)

Strange question... I don't actually understand the need for such rules. But I'm fairly new too 

I hope someone will answer this. I was about to suggest using tables:


```
table <we> { 192.168.1.1, 192.168.1.2, 192.168.1.3 }
pass quick inet from <we> to <we> keep state
```

But that will let any IP from the "we" pass to any other IP in the "we" table too.

I'd like to understand the actual need for your rules actually.


----------



## geekspark (Nov 20, 2012)

> Strange question... I don't actually understand the need for such rules. But I'm fairly new too


lol I agree it is strange, and normally such a rule would have no affect or be undesired. However my server has several Jails within it and sometimes these jails need to talk to themselves over the network (even if their traffic doesn't actually leave the host). The problem is that I don't want the jails to be able to talk to any jails or devices on the LAN (aside from a few special cases like DNS which I've already created rules for)

I'd prefer a single rule that could accomplish this so when I add/remove jails I don't have to alter the firewall, but I'll probably settle for creating several unique rules for each jail if there is no alternative


----------



## urosgruber (Nov 20, 2012)

I'm having the same problems here. If you'll find something more readable than this I'll be glad to here from you. I have a server with more than 600 jails and 600 rules in pf is just ugly.


----------



## urosgruber (Nov 20, 2012)

I just tried something and I think I found a solution. Maybe it will help you. Here is excerpt  from my pf.conf


```
jailnet = "172.20.0.0/23"
public_ip = "external ip"

#this is important
#set skip on lo

nat on $ext_if from $jailnet to any -> $public_ip

block log all

pass on lo0 from $jailnet to $public_ip
pass on lo0 from $public_ip to $jailnet
pass on lo0 from 127.0.0.1 to 127.0.0.1

#to pass betwen the two jails
pass on lo0 from 172.20.0.12 to 172.20.0.24
pass on lo0 from 172.20.0.24 to 172.20.0.12
```


----------



## bbzz (Nov 20, 2012)

I use lo1. Specify which jail can talk to itself, then block rest on that interface from itself, then let in the rest. 

```
pass  quick on lo1 from $jtorrent  to $jtorrent
pass  quick on lo1 from $jcups     to $jcups
...
block quick on lo1 from 127.0.1.0/24 
pass  quick on lo1
```


----------

