Date: Sun, 22 Jan 2012 18:38:35 +1100 From: other@ahhyes.net To: <freebsd-jail@freebsd.org> Subject: Re: nat + pf, network weirdness Message-ID: <f409a0728a8216b138a7c61d52e2551a@ahhyes.net> In-Reply-To: <22966.1327155238.9808034899287998464@ffe8.ukr.net> References: <ccb513567c50edc1c35dbe53cc9ff804@ahhyes.net> <22966.1327155238.9808034899287998464@ffe8.ukr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2012-01-22 01:13, Виталий Владимирович wrote: >> nat on xn0 from 10.1.1.0/24 to any -> (xn0) >> > You should use Packet Tagging (Policy Filtering). > Something like this: > > nat on $ext_if tag WWW tagged WWW -> ($ext_if) > nat on $ext_if tag SQL tagged SQL -> ($ext_if) > > ...... > > block in > block out > pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark > traffic from jail to world > ..... > pass out quick on $ext_if inet from ($ext_if) tagged WWW <- > dispatch only marked WWW > > PF is very well in situations like this. With PF it is possible to > divide LAN traffic and router traffic easily. Could someone please explain how the nat rules work in the above example, I had a quick look at the pf manpage for tagging but it does not mention it's use in conjunction with NAT. Is there much connection overhead/performance difference by using tags? Is the above the only solution? Why is it I cannot see any traffic via tcpdump on lo1?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f409a0728a8216b138a7c61d52e2551a>