PF Socket connectivity between jails on different interfaces.

[darrendavid]

Hi all-

I recently jailed my externally-web-accessible services for security reasons. I currently have two separate jails:

• vpnjail: this jail hosts rtorrent, and connects to the outside world over a persistent openvpn connection on tun0.
• webjail: this jail hosts standard webservices such as lighttpd on my internal LAN, igb0.

What I'm trying to figure out is whether or not it's possible to have hosted services in webjail connect to rtorrent in vpnjail via xmlrpc over a socket. Specifically, I'd like to run ruTorrent as a web-based front end for rtorrent, but I'd like to host ruTorrent in webjail since vpnjail's IP changes frequently (every time the VPN refreshes it gets a new local/public IP). Typically ruTorrent and rtorrent are running on the same server and this has worked well in the past, but now with this isolation between services I'm stuck.

I'm hopeful this is possible with some advanced pf chops -- essentially redirecting an scgi/xmlrpc call from ruTorrent to <webjail_ip>:5000 to rtorrent listening on <vpnjail_localhost>:5000.

Happy to provide more specifics as needed. Thanks in advance for any and all insight here.

dd

 

[SirDice]

There shouldn't be a need for any NAT or redirections, the traffic is considered local even though there are two interfaces involved (traffic never actually passes the interfaces). So you should simply be able to connect to the IP address of a jail from any other jail.

But you may want to create an additional interface (lo1 for example) to connect the two jails together. This would solve the issue with the random IP address of the destination jail.

 

[darrendavid]

I like the idea of the additional interface to connect the two jails together. I seemed to be able to get that working for webjail, but vpnjail is on a separate FIB to keep the VPN separate from the LAN, which seems to have the effect of not spinning up lo1. Is there an easy way around that?

 

[abishai]

You can assing another interface to your jail and filter jail to jail traffic with pf. If your jails are not vnet, all traffic between them flows through loopback and can be filtered.