# Block access to IP alias address



## bbzz (Apr 21, 2012)

I have a couple of jails running on machine that used to serve only as router. Internal physical interface is sitting on 172.16.0.0/12 network. Jails IP aliases sitting on that interface are on 10.0.0.0/8 network, for example 10.255.255.53/32 for DNS, 10.255.255.80/32 for web, etc.

Hosts on 172.16.0.0/12 are able to "telnet" into both 172.16.0.254 80 which gets redirected with pf to 10.255.255.80 80, but also are able to directly "telnet" into 10.255.255.80 80.

Security wise I don't think it matters since service is still listening only on jailed port 80 (plus its my home network). What bugs me is that I'm unable to limit network traffic only to physical IP, not aliases IP in pf. 

Can I stop hosts from logging directly to aliased IP, and even more, stop aliased IP from answering to layer 2 traffic such as ARP. In other words, hosts shouldn't see any host on 10.0.0.0/8 on 172.16.0.0/12.


----------



## ecazamir (Apr 30, 2012)

There is no 'physical' IP, all of them are aliases. 

Use 
	
	



```
block in log all
```
 at the beginning of the pf.conf rules section and enable pflogd. Use pflog to check what connections are blocked. 

ARP can't be disabled per subnet, but the interfaces can be configured to not respond to ARP requests (see *ifconfig if0 staticarp*). 

Your problem can be fixed faster using a loopback interface for the jail, unreachable from any NIC, combined with NAT. Move the 10.255.255.x addresses to lo0 or lo1, or use a loopback inferface for each jail.


----------



## bbzz (Apr 30, 2012)

Thanks for replying.



			
				ecazamir said:
			
		

> There is no 'physical' IP, all of them are aliases.



Obviously 


> Use 'block in log all' at the beginning of pf.conf rules section and enable pflogd. Use pflog to check what connections are blocked.


Simple blocking like that doesn't work in *pf*. That is, if you block either main IP address or alias IP that is getting redirected to main, traffic will not pass.



> ARP can't be disabled per subnet, but the interfaces can be configured to not respond to ARP requests (see ifconfig if0 staticarp).


Doesn't that just disable ARPing for other IPs? It stills answers for its own addresses, I think. I'll look into it.



> Your problem can be fixed faster using a loopback interface for the jail, unreachable from any NIC, combined with NAT. Move the 10.255.255.x addresses to lo0 or lo1, or use a loopback inferface for each jail.



That's what I'm doing right now for all my jails.


----------

