From owner-freebsd-questions@FreeBSD.ORG  Thu Aug 21 03:48:13 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B4514D1A
 for <questions@freebsd.org>; Thu, 21 Aug 2014 03:48:13 +0000 (UTC)
Received: from www81.your-server.de (www81.your-server.de [213.133.104.81])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 727CF3E55
 for <questions@freebsd.org>; Thu, 21 Aug 2014 03:48:12 +0000 (UTC)
Received: from [92.76.74.156] (helo=michael-think)
 by www81.your-server.de with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
 (Exim 4.80.1) (envelope-from <gmx@ross.cx>)
 id 1XKJM3-0002SN-Sp; Thu, 21 Aug 2014 05:48:03 +0200
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
To: "James Gritton" <jamie@gritton.org>, questions@freebsd.org, "Littlefield, 
 Tyler" <tyler@tysdomain.com>
Subject: Re: putting jails on public addresses
References: <53F52D26.6070600@tysdomain.com> <53F55E7D.7030206@gritton.org>
 <53F5612F.7070902@tysdomain.com>
Date: Thu, 21 Aug 2014 05:47:57 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Michael Ross" <gmx@ross.cx>
Message-ID: <op.xkxbh7ucg7njmm@michael-think>
In-Reply-To: <53F5612F.7070902@tysdomain.com>
User-Agent: Opera Mail/1.0 (Win32)
X-Authenticated-Sender: gmx@ross.cx
X-Virus-Scanned: Clear (ClamAV 0.98.4/19297/Thu Aug 21 03:04:55 2014)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Aug 2014 03:48:13 -0000

On Thu, 21 Aug 2014 05:02:07 +0200, Littlefield, Tyler  
<tyler@tysdomain.com> wrote:

> On 8/20/2014 10:50 PM, James Gritton wrote:
>> On 8/20/2014 5:20 PM, Littlefield, Tyler wrote:
>>> Hello:
>>> I'd really like to put a couple of jails on publically accessible IP  
>>> addresses. I have 5 that my provider has assigned to me. Could anyone  
>>> possibly shed
>>> some light on how to do this? I know of epairs, but I'm not sure  
>>> exactly how this works: does each interface (a and b) get an address?  
>>> I presume one would
>>> be 192.168.0.8 and the other would be x.x.x.x (where x.x.x.x is the  
>>> public address)? Which one should i set the gateway on?
>>> Thanks a lot for the help,
>>
>> You shouldn't need to mess with epair for most jails.  Just specify the  
>> jails' addresses (ip4.addr=x.x.x.x) in your jail.conf, and be sure to  
>> have an "interface=foo0" global line.  The simplest jail setup is one  
>> using publicly available addresses on a single interface, which sounds  
>> like what you have.
>>
> Hello:
> Thanks a lot for the info. I guess I should have been a bit more  
> explicit: I want to be able to assign firewall rules to these separate  
> jails. I don't think I can assign rules based on address but have to  
> have some sort of interface. For example, port 80 will be open on two  
> jails, but one should have rate limiting applied to it.
> Thanks,
>
>> - Jamie
>

With ipfw, you could do something like:

allow ip from any to <x.x.x.100> 80
allow ip from any to <x.x.x.101> 80 limit src-addr 4
reset ip from any to me 80  # catch-all


Michael