PF Correct way to open ports for jail to jail communication in pf

[dcb]

I am currently learning a bit about FreeBSD with the goal of moving my server from Debian to FreeBSD. Currently I am working on running some applications (e.g. Nextcloud) in jails. Services that are needed by multiple applications I want to outsource to own Jails, an example would be Redis.

I use Bastille to manage my jails, as I really like the templating system. The network is created in "loopback design". I have accordingly the vtnet0 interface of the server as well as the bastille0 interface.

I have now set up a Redis jail (IP e.g. 10.10.10.10) and other jails should be able to connect to it on port 6379. The port should only be accessible internally, not externally via the Internet. Currently I have used the following rules for this:

[...]
$ext_if="vnet0"
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

[...]

pass in quick on "bastille0" proto tcp from { "10.10.10.0/24" } to { "10.10.10.10/24" } port 6379 keep state
pass out quick on "bastille0" proto tcp from { "10.10.10.10/24" } to { "10.10.10.0/24" } port 6379 keep state

[...]

With this the communication works so far and I can access the port from the host / from other jails. I just wanted to ask if this is the right way to enable such an internal communication between jails, because I haven't found anything in this direction on the internet yet.

 

[soupbowl]

Assuming you are using the default bastille pf.conf.
Using the loopback (bastille0) is always an internal network besides the ports you open using RDR.
If you do not setup a redirect(RDR) all the traffic on bastille0 is internal.
I am not sure you need to make pass rules for the jails to communicate if they are on the same loopback device, they can talk.
I am a little rusty on this since I went straight VNET jails a long time ago.