From owner-freebsd-net@FreeBSD.ORG Wed Mar 16 09:47:27 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C563816A4CE for ; Wed, 16 Mar 2005 09:47:27 +0000 (GMT) Received: from ford.blinkenlights.nl (ford.blinkenlights.nl [213.204.211.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F36C43D31 for ; Wed, 16 Mar 2005 09:47:27 +0000 (GMT) (envelope-from sten@blinkenlights.nl) Received: from tea.blinkenlights.nl (tea.blinkenlights.nl [192.168.1.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ford.blinkenlights.nl (Postfix) with ESMTP id 2591D3F294; Wed, 16 Mar 2005 10:47:26 +0100 (CET) Received: by tea.blinkenlights.nl (Postfix, from userid 101) id BBEED265; Wed, 16 Mar 2005 10:47:25 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by tea.blinkenlights.nl (Postfix) with ESMTP id A27E8139; Wed, 16 Mar 2005 10:47:25 +0100 (CET) Date: Wed, 16 Mar 2005 10:47:25 +0100 (CET) From: Sten Spans To: =?UTF-8?Q?S=C5=82awek_=C5=BBak?= In-Reply-To: <787bbe1c050315152733f79e7c@mail.gmail.com> Message-ID: References: <787bbe1c050315152733f79e7c@mail.gmail.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-851401618-1110966445=:23519" cc: freebsd-net@freebsd.org Subject: Re: Setup of jail bound to lo0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Mar 2005 09:47:27 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-851401618-1110966445=:23519 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8BIT On Wed, 16 Mar 2005, [UTF-8] SÅ~Bawek Å»ak wrote: > Hi, > > I need to have some jails configured, sharing single IP address (IPv6 > is a no-no for the time being:). Therefore I came up with an idea of > binding them all to lo0 and assigning subsequent IP aliases as the > addresses. The requirement for the jails is to let them to receive > (the easy part) and *send* packets to the outside. > > The jails cannot directly access the Internet as they cannot bind to > the external IP address of course. Some translation needs to be made, > I think. After wrestling with ipfw/ipf/pf for a couple of hours I > don't have a working solution. > pf: # Tables: similar to macros, but more flexible for many addresses. table { 1.2.3.4, 5.6.7.8, 9.9.9.9 } # Translation: specify how addresses are to be mapped or redirected. nat on $ext_if from $loopback_addr to any -> ($ext_if) # rdr: packets coming in on $ext_if with destination :80 rdr on $ext_if proto tcp from any to port 80 -> $loopback_addr port 80 -- Sten Spans "There is a crack in everything, that's how the light gets in." Leonard Cohen - Anthem ---559023410-851401618-1110966445=:23519--