Date: Tue, 15 Nov 2016 15:50:06 +0100 From: Kristen Nielsen <krn@krn.dk> To: freebsd-net@freebsd.org Subject: Re: NAT Reflection rules for FreeBSD PF Message-ID: <582B209E.1080000@krn.dk> In-Reply-To: <20161115113705.GB1675@mail.opdns.de> References: <CAHcXP%2BeMrDO0V276DuYKwHMoK8BrAYMhH6b16%2BVhtXRDrKAuAQ@mail.gmail.com> <20161115113705.GB1675@mail.opdns.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. We have had the same needs earlier, but solved it in our network. Although I have been considering the possibility if there was an easy ACL based way to get jails to talk with each other e.g with sockets and related filters in the 127.0.0.0/8 ip range. Without having deep insights in the kernel network code I would believe it may be not to difficult to realise a solution like this. Of cause it will only work on jails on single hosts (on the same host) and would introducing tighter bonds between jails using this feature. Just a tought I would like to share with the list. Kristen Den 15-11-2016 kl. 12:37 skrev Oliver Peter: > El duderino, > > On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: >> I am trying to set up a 11.0-R PF based NAT for group of jails that needs >> to be able to talk to services on other jails, just as if they'd be clients >> from outside of the network. Apparently, this is called 'NAT reflection' >> and I was able to find examples for OpenBSD PF here: >> https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). >> >> Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the >> same thing? How to allow jails NAT'd on $ext_if (xn0) coming from >> $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via the >> $ext_if external IP? > We did something similar in a customer setup a while ago: > > nat on $int_if from $jail_host to any -> $int_ip > rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_if port{ $service1, service2 } -> $int_lb > > Cheers > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?582B209E.1080000>