From owner-freebsd-questions@FreeBSD.ORG  Wed Aug 11 20:18:29 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DD3DD1065775
	for <freebsd-questions@freebsd.org>;
	Wed, 11 Aug 2010 20:18:27 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 652A98FC22
	for <freebsd-questions@freebsd.org>;
	Wed, 11 Aug 2010 20:18:27 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[81.187.76.163]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id
	o7BKIL1D030261
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Wed, 11 Aug 2010 21:18:21 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
Message-ID: <4C630581.4000908@infracaninophile.co.uk>
Date: Wed, 11 Aug 2010 21:18:09 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB;
	rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: David Allen <the.real.david.allen@gmail.com>
References: <268321.67123.qm@web24608.mail.ird.yahoo.com>	<4C61E8B1.7050605@a1poweruser.com>	<86mxsuynm0.fsf@red.stonehenge.com>	<4C625468.8010805@infracaninophile.co.uk>	<86aaotxopm.fsf@red.stonehenge.com>	<4C62AAA3.7090708@infracaninophile.co.uk>
	<AANLkTi=k_t0iFoL4M1KyRKmc8OzQ9501tVLH=T5eqdyC@mail.gmail.com>
In-Reply-To: <AANLkTi=k_t0iFoL4M1KyRKmc8OzQ9501tVLH=T5eqdyC@mail.gmail.com>
X-Enigmail-Version: 1.1.1
OpenPGP: id=60AE908C
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig7EC5F845E67F251B01902C52"
X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_40,DKIM_ADSP_ALL,
	SPF_FAIL autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	lucid-nonsense.infracaninophile.co.uk
Cc: Fbsd8 <fbsd8@a1poweruser.com>, Brice ERRANDONEA <berrandonea@yahoo.fr>,
	freebsd-questions@freebsd.org, "Randal L. Schwartz" <merlyn@stonehenge.com>
Subject: Re: How to connect a jail to the web ?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Aug 2010 20:18:30 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig7EC5F845E67F251B01902C52
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 11/08/2010 15:10:06, David Allen wrote:
>> I meant that you could block access to private servers which need to
>> listen on public network ports by just using firewall rules, as oppose=
d
>> to making the whole jail hang off a private interface and just
>> forwarding selected traffic to it.
>>
>> For the second case, you would need pf to do the NAT'ing (or ipfw+natd=

>> if that's your preference).  With this trick of binding the sensitive
>> daemons to an address on the loopback, you are still secure even if pf=

>> gets turned off.  Of course, "secure" is not necessarily the same as
>> "working."
>=20
> I've read comments in the past about setting up jails using local
> loopback addresses, but I'm wondering if you wouldn't mind elaborating
> on what the actual pf rules would look like.
>=20
> Say you have 3 jails and more than one public IP address:
>=20
>   ns    127.0.0.2   public_ip_1
>   mail  127.0.0.3   public_ip_2
>   www   127.0.0.4   public_ip_3
>=20
> You want to pass port 25 traffic to/from the 'mail' jail.  But you also=

> need that jail to use the correct public_ip address.  Is that possible
> without using, for example, pf's binat?
>=20
> Thanks.

Sure.  In the best Blue Peter tradition[*], here's one I prepared earlier=
:

http://lists.freebsd.org/pipermail/freebsd-questions/2008-March/171748.ht=
ml

While that talks about redirecting a couple of TCP and one UDP service
into a single jailed host, I think it's pretty clear how to get from
there to having several different jails each with running a different
service.

	Cheers,

	Matthew

[*] It's a British thing.  You have to have been bought up here to
understand.

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig7EC5F845E67F251B01902C52
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxjBYwACgkQ8Mjk52CukIztkACgg46DFw1ZFrhqYUFu4ykTFeBm
ePEAn3JMJdbvSerb7/QqDxGEd1/qX8Iy
=Jbcu
-----END PGP SIGNATURE-----

--------------enig7EC5F845E67F251B01902C52--